AUTHENTICATEC 
US. GOVERNMEN 
INFORMATION 


GP( 



COMBATING PRETEXTING: 
PREVENTION OF FRAUDULENT 
ACCESS TO PHONE RECORDS ACT 


HEARING 


BEFORE THE 


COMMITTEE ON ENERGY AND 
COMMERCE 

HOUSE OF REPRESENTATDH]S 


ONE HUNDRED TENTH CONGRESS 

FIRST SESSION 

ON 

H.R. 936 

MARCH 9, 2007 

Serial No. 110-16 



Printed for the use of the Committee on Energy and Commerce 
energycommerce.house.gov 


U.S. GOVERNMENT PRINTING OFFICE 


WASHINGTON : 2008 


39-361 PDF 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


COMMITTEE ON ENERGY AND COMMERCE 


JOHN D. DINGELL, Michigan, Chairman 


HENRY A. WAXMAN, California 
EDWARD J. MARKEY, Massachusetts 
RICK BOUCHER, Virginia 
EDOLPHUS TOWNS, New York 
FRANK PALLONE, jR., New Jersey 
BART GORDON, Tennessee 
BOBBY L. RUSH, Illinois 
ANNA G. ESHOO, California 
BART STUPAK, Michigan 
ELIOT L. ENGEL, New York 
ALBERT R. WYNN, Maryland 
GENE GREEN, Texas 
DIANA DeGETTE, Colorado 
Vice Chairman 
LOIS CAPPS, California 
MIKE DOYLID, Pennsylvania 
JANE HARMAN, California 
TOM ALLEN, Maine 
JAN SCHAKOWSKY, Illinois 
HILDA L. SOLIS, California 
CHARLES A. GONZALEZ, Texas 
JAY INSLEE, Washington 
TAMMY BALDWIN, Wisconsin 
MIKE ROSS, Arkansas 
DARLENE HOOLEY, Oregon 
ANTHONY D. WEINER, New York 
JIM MATHESON, Utah 
G.K. BUTTERFIELD, North Carolina 
CHARLIE MELANCON, Louisiana 
JOHN BARROW, Georgia 
BARON P. HILL, Indiana 


JOE BARTON, Texas 

Ranking Minority Member 
RALPH M. HALL, Texas 
J. DENNIS HASTERT, Illinois 
FRED UPTON, Michigan 
CLIFF STEARNS, Florida 
NATHAN DEAL, Georgia 
ED WHITFIELD, Kentucky 
BARBARA CUBIN, Wyoming 
JOHN SHIMKUS, Illinois 
HEATHER WILSON, New Mexico 
JOHN B. SHADEGG, Arizona 
CHARLES W. “CHIP” PICKERING, 
Mississippi 

VITO FOSSELLA, New York 

STEVE BUYER, Indiana 

GEORGE RADANOVICH, California 

JOSEPH R. PITTS, Pennsylvania 

MARY BONO, California 

GREG WALDEN, Oregon 

LEE TERRY, Nebraska 

MIKE FERGUSON, New Jersey 

MIKE ROGERS, Michigan 

SUE WILKINS MYRICK, North Carolina 

JOHN SULLIVAN, Oklahoma 

TIM MURPHY, Pennsylvania 

MICHAEL C. BURGESS, Texas 

MARSHA BLACKBURN, Tennessee 


Professional Staff 

Dennis B. Fitzgibbons, Chief of Staff 
Gregg A. Rothschild, Chief Counsel 
Sharon E. Davis, Chief Clerk 
Bud Albright, Minority Staff Director 


(II) 



CONTENTS 


Page 

Hon. John D. Dingell, a Representative in Congress from the State of Michi- 
gan, opening statement 1 

Hon. Hon. Fred Upton, a Representative in Congress from the State of Michi- 
gan, opening statement 3 

Hon. Edward J. Markey, a Representative in Congress from the Common- 
wealth of Massachusetts, opening statement 4 

Hon. Cliff Stearns, a Representative in Congress from the State of Florida, 

opening statement 5 

Hon. Bobby L. Rush, a Representative in Congress from the State of Illinois, 

opening statement 6 

Hon. Joe Barton, a Representative in Congress from the State of Texas, 

opening statement 6 

Hon. Rick Boucher, a Representative in Congress from the Commonwealth 

of Virginia, opening statement 7 

Hon. J. Dennis Hastert, a Representative in Congress from the State of 

Illinois, opening statement 7 

Hon. Albert R. Wynn, a Representative in Congress from the State of Mary- 
land, opening statement 8 

Hon. Joseph R. Pitts, a Representative in Congress from the Commonwealth 

of Pennsylvania, opening statement 8 

Hon. Gene Green, a Representative in Congress from the State of Texas, 

opening statement 9 

Hon. Greg Walden, a Representative in Congress from the State of Oregon, 

opening statement 9 

Hon. Anthony D. Weiner, a Representative in Congress from the State of 

New York, opening statement 10 

Hon. Diana DeGette, a Representative in Congress from the State of Colo- 
rado, opening statement 10 

Hon. Edolphus Towns, a Representative in Congress from the State of New 

York, opening statement 11 

Hon. Jay Inslee, a Representative in Congress from the State of Washington, 

opening statement 12 

Hon. Tammy Baldwin, a Representative in Congress from the State of Wis- 
consin, opening statement 12 

Hon. Barbara Cubin, a Representative in Congress from the State of Colo- 
rado, opening statement 13 

Hon. Jan Schakowsky, a Representative in Congress from the State of Illi- 
nois, opening statement 13 

H.R. 936, To prohibit fraudulent access to telephone records 14 

Witnesses 

Lydia Parnes, Director, Bureau of Consumer Protection, U.S. Federal Trade 

Commission 32 

Prepared statement 34 

Thomas Navin, Chief, Wireline Bureau, Federal Communications Commis- 
sion 45 

Prepared statement 47 

Marc Rotenberg, executive director. Electronic Privacy Information Center 56 

Prepared statement 56 

Hon. Steve Largent, president, chief executive officer, CTIA-the Wireless As- 
sociation 67 

Prepared statement 69 

Walter McCormick, president and chief executive officer. United States 
Telecom Association 79 


(III) 



IV 


Page 


Walter McCormick, president and chief executive officer, United States 
Telecom Association — Continued 

Prepared statement 81 

David Einhorn, president, Greenlight Capital, Incorporated, 84 

Prepared statement 86 



COMBATING PRETEXTING: PREVENTION OF 
FRAUDULENT ACCESS TO PHONE RECORDS 
ACT 


FRIDAY, MARCH 9, 2007 

House of Representatives, 
Committee on Energy and Commerce, 

Washington, DC. 

The committee met, pursuant to call, at 10:30 a.m., in room 2123 
of the Rayburn House Office Building, Hon. John D. Dingell (chair- 
man) presiding. 

Members present: Representatives Markey, Boucher, Towns, 
Rush, Stupak, Wynn, Green, DeGette, Schakowsky, Gonzalez, Ins- 
lee, Baldwin, Hooley, Weiner, Barrow, Barton, Hall, Hastert, 
Upton, Stearns, Cubin, Shimkus, Shadegg, Pickering, Radanovich, 
Pitts, Walden, Terry, Ferguson, Rogers, Sullivan, Murphy, and 
Burgess. 

OPENING STATEMENT OF HON. JOHN D. DINGELL, A 

REPRESENTATIVE IN CONGRESS FROM THE STATE OF 

MICHIGAN 

The Chairman. The hearing will come to order. 

I thank you all for coming here to be with us and discuss these 
matters, our views on H.R. 936, the Prevention of Fraudulent Ac- 
cess to Phone Records Act. 

A certain major telecommunications company allegedly turned 
over detailed call records of millions of Americans to the National 
Security Agency. These phone customers were not informed that 
NSA had their records. Apparently, this may have been done with- 
out proper process. At least one company found it illegal and re- 
fused to comply. 

We also learned about pretexting, which occurs when a person 
obtains phone records through fraudulent means. Apparently, some 
of the largest companies in America, such as Hewlett-Packard Cor- 
poration, did not see any problems in using this deceptive practice. 
One of our witnesses discovered 40 Web sites that offered to sell 
phone records to anyone online. 

Last Congress, this committee’s Subcommittee on Oversight and 
Investigations held several hearings on pretexting abuses and scan- 
dals, and I want to commend our two friends, Mr. Stupak and Mr. 
Whitfield for their extraordinary leadership in building a strong 
record on these matters. 


( 1 ) 



2 


In a bipartisan manner, this committee passed the same legisla- 
tion that we are discussing today. The legislation is bipartisan, and 
I intend to see that it remains so. 

We also commend Ranking Member Barton for his distinguished 
leadership and for his willingness to work to produce sound legisla- 
tion. 

Unfortunately, after the committee reported the bill, for some 
strange reason, it mysteriously disappeared from the House floor 
schedule, and the House took no action before the 109th Congress 
adjourned, so today, we will continue our effort to ensure that call 
record information held by phone companies remains secure. 

In that regard, I am pleased that we have before us representa- 
tives of the Federal Communications Commission and the Federal 
Trade Commission to discuss these matters. The FCC is charged 
with ensuring that phone companies protect our calling records. 
And the FTC has the ability to crack down on fraudulent practices, 
such as pretexting. This legislation will provide more specific au- 
thority to both the FCC and the FTC to take appropriate action. 

We need to hear from the FCC what they are doing to protect 
these records. Every telecommunications company under the Com- 
munications Act has a duty to protect the sensitive, personal infor- 
mation of customers. Given the well-publicized breaches of cus- 
tomer privacy, we must address whether the statute adequately 
empowers the FCC to protect those records. I am aware that the 
FCC had expected to issue new rules governing phone record secu- 
rity by the end of the year. And we are encouraged that that is so, 
and we encourage the FCC to issue these new rules as quickly as 
they are able. 

Likewise, we need to hear from the FTC on whether or not they 
believe they have the authority, under existing law, to pursue those 
who engage in pretexting. The FTC has been aggressive in using 
section 5 of the Federal Trade Commission Act, which prohibits un- 
fair and deceptive acts and practices in interstate commerce to 
bring enforcement actions against pretexters. But last year, they 
testified that more specific prohibitions were needed against 
pretexting soliciting and selling customer phone records. The agen- 
cy also seeks enhanced authority to impose civil penalties. 

The Chair also looks forward to the testimony of the other distin- 
guished members of our panel, the landline and wireless compa- 
nies. And last, but, by no means, least, we will hear important tes- 
timony from a victim of pretexting. This is not a faceless crime, and 
it is not a crime that has no consequences. Mr. Einhorn, the com- 
mittee thanks you for coming before us, and I am sorry, indeed, 
about what has happened to you and your family, and I pledge the 
best efforts of myself and the committee to make this kind of event 
less likely to happen to anyone else. 

In the interest of fairness, the committee will leave the record 
open for 30 days in case Allied Capital wants to submit a state- 
ment. 

This measure passed this committee in a bipartisan fashion last 
Congress. Just as Mr. Barton did last Congress so effectively well, 
I will work to address this issue in the same bipartisan manner. 
And as always, the committee will conduct the oversight necessary 



3 


to ensure that the American people are protected in the privacy of 
their phone records. 

The Chair will follow the usual practices of the committee, and 
we will recognize the members for 3 minutes. And if the members 
choose to waive that 3-minute opening statement, they will be rec- 
ognized for an additional 3 minutes at the time of the questioning. 

The Chair recognizes now the distinguished gentleman from 
Michigan, Mr. Upton, who has done a superb job on this legisla- 
tion. Mr. Upton for 3 minutes. 

OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTA- 
TIVE IN CONGRESS FROM THE STATE OF MICHIGAN 

Mr. Upton. Well, thank you, Mr. Chairman. I know Mr. Barton 
is on the way as well. 

There have been great advances in technology since the days of 
the little black rotary phone. But the unfortunate reality is that, 
along with great advances in technology, there have been great ad- 
vances in fraud as well. 

Over the last year, pretexting has garnered the national spot- 
light. Nearly a year ago, to the day, we marked up similar legisla- 
tion in this committee, but hit a few minor bumps along the way. 
And I am hopeful that we will have a little more success this time, 
and consumers will, in fact, be the better for it. 

On the surface, pretexting seems harmless enough, but it is a 
violation of one’s basic rights that can have grave consequences. 
Someone with bad intentions and a few bucks can get a hold of al- 
most anyone cell phone record. It is alarming that our cell phone 
bills, a score sheet for our daily lives, can fall into the wrong hands 
with a simple phone call or even a click of the mouse. 

The consequences of firms trying to make a quick buck on the 
Internet are terrifying. Records can be used to track down some- 
one’s location, such as a woman in hiding from an abusive partner 
or stalker. Gangs and drug runners have been known to obtain 
phone records to determine if anyone in their group, in their gang, 
has been in contact with rival groups or even with the police. 

It doesn’t matter what the motive is, no matter how barbaric or 
innocent the intentions, pretexting is wrong and a violation of an 
individual’s basic right to privacy. Carriers do have a duty to pro- 
tect their customers, and we have a duty to close the loophole once 
and for all. 

We have a quality piece of bipartisan legislation that will bring 
an end to this practice, once and for all. And the Nation’s 190 mil- 
lion cell phone users will all be safer for it. And while we continue 
to make great advances in technology, one thing that will continue 
to remain constant is the consumer’s right to privacy. 

I yield back my time. 

Thank you, Mr. Chairman. 

The Chairman. I thank the gentleman. 

The Chair recognizes now the distinguished gentleman from 
Massachusetts, Mr. Markey, for 3 minutes. 



4 


OPENING STATEMENT OF HON. EDWARD J. MARKET, A REP- 
RESENTATIVE IN CONGRESS FROM THE COMMONWEALTH 

OF MASSACHUSETTS 

Mr. Markey. I thank the chairman very much. 

Mr. Chairman, personal privacy is the cornerstone of individual 
freedom. A person’s telephone records can disclose some of the most 
intimate details of a person’s life, information about who you call, 
when you call, how long you are on the phone can reveal a lot 
about a person, their relationships, their business dealings, their 
family members, their children. The public sale of this information 
can be embarrassing, awkward, and uncomfortable for a consumer. 
It can be dangerous when it is in the hands of stalkers, thieves, 
abusers, and others who intend to do harm. 

More troubling, in my mind, is the fact that last year this com- 
mittee discovered that pretexting is not solely the province of indi- 
vidual, low-rent fraudsters who prey on vulnerable citizens. In a 
shocking revelation last September, Hewlett-Packard, a Fortune 
500 company, agreed to pay a $14 million penalty for illegal 
pretexting. Likewise, Washington hedge fund manager, David 
Einhorn, who is testifying here today, fell victim to pretexting 
when a financial service’s firm hired someone to illegally obtain his 
phone records. 

In the last Congress, this committee passed this important bill 
to ensure that consumer phone records are not for sale in some 
cyberspace bizarre and to take action to shut down these practices. 
Last session’s bill, however, mysteriously disappeared from the 
House suspension calendar prior to House floor consideration, re- 
portedly due to concerns from the intelligence community. These 
concerns implicated the alleged disclosure of phone records by cer- 
tain telephone companies to the National Security Agency or oth- 
ers. The pretexting bill’s sudden disappearance represented a case 
of extraordinary legislative rendition. 

Under the Telecommunications Act, telephone companies are le- 
gally obligated to safeguard the confidentiality of phone records. 
After the scandals of last year, many phone companies certainly re- 
sponded by tightening internal controls to prevent unauthorized 
disclosure of phone records. While the fraudsters may be acting il- 
legally by using pretexting, the fact that these records are appar- 
ently so easily obtained on the Internet and elsewhere makes it 
self-evident that enforcement and security needs to be stepped up. 

The FCC has been developing new rules to do just that for sev- 
eral months, and we are eager for the Commission to finalize its 
action. Doing so may obviate the need to legislate portions of the 
bill before us. I also continue to believe it is important for the Com- 
mission, as an independent, regulatory agency, to investigate 
media reports regarding disclosure of consumer phone records by 
phone companies without legal process and in violation of the Com- 
munications Act. This is still timely, as this morning’s newspapers 
indicate. There is still a lack of respect of a law of our country that 
privacy of Americans be protected and that only a judge, ulti- 
mately, can authorize the compromise of these important commu- 
nications records. 



5 


I look forward to working with you, Mr. Chairman, Mr. Barton, 
Mr. Upton, with Chairman Rush, and Mr. Stearns, and our other 
committee colleagues on this important legislation. 

I thank you. 

The Chairman. The Chair thanks the distinguished gentleman. 

The Chair recognizes now our good friend from Florida, Mr. 
Stearns, for 3 minutes. 

OPENING STATEMENT OF HON. CLIFF STEARNS, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA 

Mr. Stearns. Mr. Chairman, thank you very much. This is deja 
vu all over again. I mean, we have been talking about this bill. We 
have had the hearings on it in my subcommittee that I chaired in 
the last Congress, Commerce, Consumer Protection and Trade with 
the Federal Trade Commission having jurisdiction over this. Unfor- 
tunately, the Telecom Act of 1996 exempted common carriers, 
which allowed this to be under the jurisdiction of the FCC rather 
than the Federal Trade Commission. I think many of us on this 
side were sorely disappointed that we couldn’t have reached a com- 
promise and had this bill on the floor under suspension, perhaps 
with amendment, and got this through. I think we all realize, no 
matter what we talk about, the stark reality is that there is always 
going to be con artists and cyber thieves to keep us busy. And so 
we have got to pass this bill. We must recognize the importance of 
securing and protecting personal data from exploitation by 
fraudsters, whether the preferred technique is pretexting, hacking, 
or good old-fashioned fraud. Likewise, ensuring the public is in- 
formed about the need to protect personal data will also help 
thwart the fastest-growing criminal enterprise in America, which is 
identity theft. 

So, Mr. Chairman, our subcommittee that I chaired and now that 
Mr. Rush chairs are eagerly looking forward to passing this. And 
I think under your leadership, Mr. Dingell, hopefully, we will have 
this on the floor in short order. I think it is an issue that, for a 
long time, has been in agreement that it should pass. I am a co- 
sponsor of this bill, this H.R. 936. As we all know, it is not perfect. 
Perhaps as it works its way through the process out of our commit- 
tee and to the House floor and to the Senate, we will have that op- 
portunity to improve it. Hopefully, the intelligence community will 
come on board and not thwart and prevent this from passing. I 
think the good of this is overwhelming, and we must not restrict 
legitimate marketing practices that can benefit consumers, but we 
also might understand that there is a need to identify and protect 
the consumers’ privacy. 

So I look forward to working with you, Mr. Chairman, and obvi- 
ously Mr. Upton, who is chairman of the Telecommunications Com- 
mittee, and the ranking member of our full committee, Mr. Barton. 

Thank you. 

The Chairman. The Chair recognizes now the distinguished gen- 
tleman from Illinois, Mr. Rush, for 3 minutes. 



6 


OPENING STATEMENT OF HON. BOBBY L. RUSH, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS 

Mr. Rush. Thank you, Chairman Dingell, for conducting this 
hearing. And I want to commend you and Ranking Member Barton 
for your continued bipartisan leadership on this issue. 

Mr. Chairman, pretexting is a serious problem that can have 
devastating effects on the average consumer. And I am sure Mr. 
Einhorn’s testimony will further illustrate the devastating effects 
that pretexting can have. 

Mr. Chairman, H.R. 936, the Prevention of Fraudulent Access to 
Phone Records Act, is a hard-hitting but deliberative response to 
this widespread crime. Most of today’s discussion in our hearing 
will center around title 2 of the bill. But as chairman of the Sub- 
committee on Commerce, Trade, and Consumer Protection, I want 
to highlight the provisions of title 1. 

Title 1 of the bill grants the FTC specific authority to crack down 
on pretexters by explicitly declaring the practice of fraudulently ob- 
taining or selling customer proprietary network information as an 
unlawful conduct and an unlawful act. The FTC will enforce this 
provision as a violation of the Federal Trade Commission Act and 
its prohibition on unfair or deceptive practices. The Commission is 
to be lauded for its past and ongoing enforcement actions under its 
existing authority under Section 5 of the FTC Act. But last year, 
in hearings, we heard testimony that the Commission needed more 
specific statutory authority to better protect the public, title 1 ful- 
fills this need. 

Mr. Chairman, every returning member of this committee voted 
for this bill in the last Congress, and it is my sincere hope that 
every member of this committee will repeat that vote. 

Too many consumers remain vulnerable to pretexting and its 
devastating effects, and H.R. 936 will go a long way in addressing 
this basic consumer protection issue. Last Congress, we did our job. 
We reported a good bill out of our committee for consideration on 
the House floor only to see it go nowhere and die. I hope this year’s 
bill won’t meet the same fate. Let us make sure that today’s hear- 
ing is the noth Congress’s first step toward eventually enacting 
this important measure into law. 

Thank you, Mr. Chairman. I yield back the balance of my time. 

The Chairman. Thanks to the distinguished gentleman from Illi- 
nois. 

It is with great pleasure that the Chair recognizes my good 
friend and colleague, the ranking member of the committee, Mr. 
Barton, who provided such extraordinary leadership in this matter 
last year. The gentleman is recognized for 5 minutes. 

OPENING STATEMENT OF HON. JOE BARTON, A 
REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS 

Mr. Barton. Thank you, Mr. Chairman. 

I won’t take very much time. I am submitting my full statement 
for the record. Suffice it to say that we worked together on this in 
the last Congress and didn’t quite get over the finish line. I am 
proud to be an original sponsor with you and several other mem- 
bers in this Congress. Pretexting is something that we need to com- 
bat. And as we all know, pretexting is pretending to be someone 



7 


you are not to get something you shouldn’t have to use in a way 
that is probably wrong. 

So I am sure, on a bipartisan basis, we can move this bill and 
move it to the floor and move it to the Senate and put it on the 
President’s desk and strike a blow for individual privacy in this 
Congress. 

And with that, I would yield back. 

The Chairman. The Chair thanks the gentleman, and without 
objection, his full statement will appear in the record, as will the 
statements of our other colleagues, who so desire. 

The Chair recognizes now our good friend and colleague, the gen- 
tleman from Virginia, Mr. Boucher, for 1 minute. Mr. Boucher. 

OPENING STATEMENT OF HON. RICK BOUCHER, A REP- 
RESENTATIVE IN CONGRESS FROM THE COMMONWEALTH 

OF VIRGINIA 

Mr. Boucher. Well, thank you very much, Mr. Chairman. 

It is my pleasure to join with you and other members of the com- 
mittee in cosponsoring this measure. And I commend the biparti- 
san process that has produced this bill. Pretexting was rendered 
unlawful by action in the last Congress, but there is an ongoing 
need to make sure that the integrity of customer proprietary infor- 
mation is protected by local exchange carriers and by the wireless 
industry. That information should never be sold, and there should 
be ongoing steps taken by the carrier to make sure that that infor- 
mation is appropriately safeguarded. 

That said, I think it is also important that we carefully evaluate 
the exemptions to make sure that none of the provisions about 
sharing information with third parties would prohibit normal and 
effective operations by the telecommunications carrier. They need 
to contract out certain information to third parties, including engi- 
neers and information technology specialists of various kinds. And 
the ability to do that is absolutely essential to the effective func- 
tioning of their operations. And so I would simply urge the commit- 
tee to take care, as we have this hearing, to listen to the represent- 
atives of the telecommunications industry and heed their rec- 
ommendations with regard to what the scope of those exemptions 
should be. 

Thank you, Mr. Chairman, and I yield back. 

Ms. DeGette [presiding]. The Chair is now delighted to recog- 
nize Mr. Hastert for 1 minute. 

OPENING STATEMENT OF HON. J. DENNIS HASTERT, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS 

Mr. Hastert. Well, thank you, Madame Chairwoman. 

I would like to thank the witnesses for coming this morning to 
speak about pretexting and the sale of phone records. Since the de- 
velopment of the Internet, our personal information has been more 
readily available and increasingly easier to obtain. In fact, there is 
a growing market for the sale of phone records. These records pro- 
vide detailed information about who and what and when we call 
and how long we spend on the phone. Fraudulently obtaining this 
information is an invasion to our personal privacy, and it cannot 
be allowed to continue. 



8 


But at the same time, we need to provide for equal treatment for 
all those who collect that data. As we move forward, we should en- 
sure that this bill will not hamper lawful and necessary means to 
protect our country from foreign terrorism. I look forward to hear- 
ing from each witness as we address these concerns. 

And I thank you, and I yield back my time. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Maryland, Mr. Wynn, for 1 minute. 

OPENING STATEMENT OF HON. ALBERT R. WYNN, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF MARY- 
LAND 

Mr. Wynn. Thank you, Madame Chairman, for holding this hear- 
ing on an issue of such importance to American consumers. 
Pretexting, the unlawful, false, fictitious or fraudulent statements 
or representations in order to obtain the personal proprietary infor- 
mation of a consumer poses serious threats to the privacy of con- 
sumers and to the integrity of the telecommunications industry. 
The ease with which one can obtain private information on other 
individuals concerns me, especially when we know the harm that 
can be done with such records. The improper use of customer pro- 
priety network information, CPNI, have been used in the past by 
suspected mobsters to intimidate police officers and by stalking in 
the murder of Amy Boyer in 1999. 

As a matter of public policy, we must ensure that this type of in- 
formation cannot be easily bought over the Internet. We need to 
pass legislation to make sure that those who illegally purchase 
CPNI are aggressively prosecuted, but, at the same time, we need 
to make sure this bill does not hamstring telecommunication pro- 
viders who use CPNI in a responsible manner to better target their 
consumers for new products or services and ultimately pass savings 
along to them. 

I look forward to this hearing and hearing from the witnesses. 
It is critical that we safeguard individuals from pretexting. I thank 
you for this time, and I yield back. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Illinois, Mr. Shimkus, for 1 minute. 

Mr. Shimkus. I will waive. 

Ms. DeGette. The gentleman waives. 

The Chair now recognizes the gentleman from Pennsylvania, Mr. 
Pitts. 

OPENING STATEMENT OF HON. JOSEPH R. PITTS, A REP- 
RESENTATIVE IN CONGRESS FROM THE COMMONWEALTH 

OF PENNSYLVANIA 

Mr. Pitts. Thank you, Madame Chairman. 

I am looking forward to hearing what our witnesses have to say 
this morning. Everyone agrees that pretexting needs to be stopped, 
but we need to do it in a way that does not ensnare legitimate 
business practices. We have a good bill before us, and I will be in- 
terested to hear what our witnesses have to say about how we can 
improve it when we mark it up. 

I am also grateful to the sponsors of this bill for including the 
wireless directory assistance language that I and my friend Chair- 



9 


man Markey worked so hard on over the last two Congresses. 
While telephone numbers are not, strictly speaking, considered cus- 
tomer proprietary network information, wireless telephone num- 
bers are definitely considered personal information by the vast ma- 
jority of consumers, and I expect this language will become law this 
year, and I am very happy about that. This hearing will also be a 
chance for us to make sure that that part of the bill is written the 
best way possible and will not have any unintended consequences. 

Thank you, Madame Chairman. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Texas, Mr. Green, for 1 minute. 

OPENING STATEMENT OF HON. GENE GREEN, A 
REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS 

Mr. Green. Madame Chairman, I am glad we are considering 
H.R. 936, and I am a proud cosponsor of it. Our committee has a 
histop^ of privacy protections, going back to the legislation on 
banking in the last decade, and we are concerned about the privacy 
of our own information, whether it is good banking records or our 
cell phones and our own hard lines. And pretexting should have 
passed last time, as most of my colleagues said. I think there is an 
issue we are going to have to deal with on the contracting out, as 
I heard our chair of the Energy Subcommittee talk about. I would 
just hope that whatever we do about contracting out would have 
the same restrictions as the person who is doing the contracting. 

And I yield back my time. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the distinguished gentleman from Or- 
egon, Mr. Walden, for 1 minute. 

OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENT- 
ATIVE IN CONGRESS FROM THE STATE OF OREGON 

Mr. Walden. Thank you, Madame Chair. 

I am looking forward to this hearing, and while I supported this 
legislation last year and certainly participated in the oversight 
hearings on pretexting, I want to make sure that, as we move for- 
ward, that we aren’t doing something that has unintended con- 
sequences when it comes to legitimate marketing issues so that 
consumers can get access to information for offers and things they 
may want to take advantage of And so I am going to raise a few 
of those questions. I think there have been some points raised since 
this bill was passed out of this committee last year and sent to the 
full House, which never took it up, that need to be addressed to 
make sure we are doing the right thing, which is protecting the 
rights of consumers, not to be ripped off and not to be abused, as 
we witnessed in our hearings. And there are some very serious le- 
gitimate problems out there that we need to address. In doing so, 
let us make sure that we don’t go overboard. 

So thank you for this hearing and for your work on the Oversight 
Committee as well, and I look forward to the testimony of our wit- 
nesses. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the gentleman from Texas, Mr. Gon- 
zalez, for 1 minute. 



10 


Mr. Gonzalez. I waive. 

Ms. DeGette. The gentleman waives. 

The Chair now recognizes the distinguished gentle lady from Or- 
egon, Ms. Hooley, for 1 minute. 

The gentle lady waives. 

The gentleman from New York, Mr. Weiner. 

OPENING STATEMENT OF HON. ANTHONY D. WEINER, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF NEW 

YORK 

Mr. Weiner. Thank you, Madame Chair. And I look forward to 
this hearing, and I want to commend the committee for the work 
that they have done last year. 

There are some foundational principles that we should keep in 
mind. One is there has to he a reasonable understanding that con- 
sumers expect the information to be shared. In this case, I think 
most, as Mr. Markey said, consumers don’t even realize this infor- 
mation is available to be shared. And this is not like some other 
data in our lives that we kind of sense maybe someone else is going 
to get a hold of 

And second, if the administration has concerns about national se- 
curity, concerns about the legislation, let us hope this year they 
confront it in a more forthright fashion, rather than in the dark of 
night, simply killing a bill that should have been on the suspension 
calendar, as many of us would agree with. If a court gets an oppor- 
tunity to view these concerns, I am convinced that they will make 
the right decisions. But simply making these privacy decisions in 
the dark of night by security officials, we have learned over and 
over again, this administration cannot be trusted with that much 
authority. 

And I yield back my time. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the gentleman from Nebraska, Mr. 
Terry, for 1 minute. 

Mr. Terry. Waive. 

Ms. DeGette. The gentleman waives. 

The Chair now recognizes the gentleman from Texas, Mr. Hall, 
for 1 minute. 

Mr. Hall. Chairman, there is nothing I can add to this. I voted 
for it the last time. I don’t know why we don’t run it on through 
now and pull our hat down over our ears and try to get it out of 
the Senate and listen to these five young men and this lovely lady 
to tell us what they think about this, and especially to welcome Mr. 
Large nt, a former member here. 

I yield back. 

Ms. DeGette. The Chair recognizes herself for 1 minute. 

OPENING STATEMENT OF HON. DIANA DEGETTE, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF COLO- 
RADO 

Ms. DeGette. Last year, we had a series of hearings in the 
Oversight and Investigations Subcommittee on pretexting, and 
really, what we learned was disturbing. Your personal data is out 
there for sale, and, as we have heard, it just takes a few minutes 



11 


and a little money for someone to get access to your telephone 
records and other pieces of private information. 

What seemed worse to me, though, was there are a number of 
prominent citizens in this country and lawyers who don’t seem to 
understand that this is, at best, unethical, in many situations, and, 
at worst, and probably, in many States, illegal. And that is why we 
need to clarify the Federal law. That is what H.R. 936 was in- 
tended to do. 

Last year, this committee passed that bill unanimously, and 
somehow between this committee and the House floor, it got lost. 
And we never did find it. But this year, it is a new year. It is a 
new Congress. And it is going to be a new fate for H.R. 936. 

I look forward to hearing the witnesses about this bill. And most 
importantly, I look forward to passing this bill through the commit- 
tee and through the House of Representatives. 

With that, the Chair now recognizes Mr. Burgess from Texas for 
1 minute. 

Mr. Burgess. Thank you, Madame Chairman. I think, in the in- 
terest of time, I will submit my statement for the record and re- 
serve time for questions. 

Ms. DeGette. Without objection. 

The Chair now recognizes Mr. Sullivan from Oklahoma. 

Mr. Sullivan. Madame Chairman, I, too, shall submit mine for 
the record. 

Ms. DeGette. The chairman now recognizes the gentleman from 
New York, Mr. Towns, for 1 minute. 

OPENING STATEMENT OF HON. EDOLPHUS TOWNS, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF NEW 

YORK 

Mr. Towns. Thank you very much, Madame Chair. 

Let me thank all of the witnesses for coming. And I especially 
want to thank my former colleague, Steve Largent for being here. 

Also, what I would like for these fine witnesses to do for me is 
to clarify the issues that the industry has with the bill and to show 
us how companies use customer proprietary network information to 
assist them in providing better choices and products to our con- 
stituents. 

Although consumers enjoy all the new options they have, they 
want to b^elieve that their personal details will not be abused. And 
of course, I would like to hear. Some of that makes me feel com- 
fortable in that regard, and at the same time, we recognize that we 
do not want to eliminate progress, but we also have to be concerned 
about fraud. 

On that note, I yield back, Madame Chair. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the gentleman from Mississippi, Mr. 
Pickering. 

Mr. Pickering. Thank you, Madame Chairman. 

In the interest of time, I will yield back. 

Ms. DeGette. The Chair now recognizes Mr. Inslee from Wash- 
ington State. 



12 


OPENING STATEMENT OF HON. JAY INSLEE, A REPRESENTA- 
TIVE IN CONGRESS FROM THE STATE OF WASHINGTON 

Mr. Inslee. Thank you. I think it is about time to do it since I 
first heard about people stealing your personal records over the 
Internet a couple of days after Christmas 2005. So I am glad to fi- 
nally be here. 

I want to note the opt-in provision of this bill that I think is im- 
portant to give consumers the right to opt in rather than have to 
opt out so their records will be protected unless they specifically 
give advanced approval for their information to be divulged. But I 
think I am interested in looking at how we do that without inter- 
fering with the legitimate operational activities of the carriers. 
What my vision is we could have an opt-in requirement for any 
marketing purposes, and the like. But let us get this job done this 
year. Thanks. 

Ms. DeGette. The Chair now recognizes the gentle lady from 
Wisconsin, Ms. Baldwin, for 1 minute. 

OPENING STATEMENT OF HON. TAMMY BALDWIN, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF WISCON- 
SIN 

Ms. Baldwin. Thank you, Madame Chairwoman. 

I hope that hearings like this will generate enough momentum 
to actually move the bill through Congress this year, and I echo my 
colleagues’ concerns that pretexting not only violates a person’s 
right to privacy, but it poses serious risks to people’s safety, such 
as some of the high-profile cases that we have heard of victims of 
domestic violence and stalking and police officers who are doing 
undercover work. 

Furthermore, last fall’s revelations at that corporate sector has 
been using pretexting to obtain personal records of employees, 
board members, journalists and critics further injected a renewed 
sense of urgency in addressing this issue. Imposing penalties on 
the actions of pretexters is certainly a necessary component of 
stemming the problem, but it is not the only one. That is why I am 
particularly pleased that this bill not only makes pretexting to ob- 
tain, solicit, sell, or disclose customer proprietary network informa- 
tion illegal, but it also gives the FTC the enforcement power, and 
it also amends section 222 of the Telecommunications Act to cover 
joint venture partners, et cetera. I do hope that we will promptly 
get about to the task of passing this legislation. 

Thank you, Madame Chairwoman. 

Ms. DeGette. The Chair now is pleased to recognize the distin- 
guished gentle lady from Wyoming, Ms. Cubin. 

OPENING STATEMENT OF HON. BARBARA CUBIN, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF WYOMING 

Ms. Cubin. Thank you, Madame Chairman. 

I cosponsored this le^slation, because I have no doubt that it, ex- 
cuse me, takes the right approach in banning the practice of 
pretexting and giving the FTC enforcement authority to halt this 
practice. And I am looking forward to hearing the Commission’s en- 
forcement efforts today. 



13 


However, I do have some concerns regarding how this legislation 
will affect rural carriers. Often, important, well-meaning legisla- 
tion, such as this, affects rural areas in ways that Congress may 
not have anticipated, and I am very interested in hearing from the 
panel about how this legislation will impact rural carriers and 
rural customers. And I do appreciate the Commission’s efforts to 
enforce section 222 of the Telecommunications Act. And I believe 
this bill takes positive steps to do so. 

However, I would not like to see rural companies face unneces- 
sary, and I would like to underline, disproportionate costs as a re- 
sult of enforcement of this. 

So I would appreciate remarks from the panel on that. 

So thank you, Madame Chairman. 

Ms. DeGette. The Chair now recognizes the distinguished gentle 
lady from Illinois, Ms. Schakowsky, for 1 minute. 

OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS 

Ms. Schakowsky. I thank you, Madame Chairman. 

As has been mentioned before, our committee passed an identical 
bill by unanimous vote in the last Congress, and I hope that we 
can get this bill, which would allow the FTC to assess civil pen- 
alties for pretexting for phone records and require phone companies 
to better secure customer records, and that we will get it signed 
into law. 

A number of States, including my own State, and our attorney 
general, Lisa Madigan, was here at the first hearing we had last 
session and actually was invited today, but her schedule didn’t per- 
mit, have used their general consumer protection and consumer 
fraud statutes to file lawsuits against the practice, but because 
there was not a clear Federal statute outlining this anti-consumer 
practice, there were those who still chose to dabble in what they 
claim was a gray area of the law. Last year, a bill that would allow 
for criminal penalties for pretexting was signed into law, but we 
still need to give the FTC the extra authority it needs to impose 
civil penalties. 

But another important concern goes to the reason that con art- 
ists who pretext are so successful, when we started our investiga- 
tion into pretexting in February 2006, there were over 40 sites sell- 
ing other’s phone records. And in the most infamous case to date — 
let me just conclude with this, the quick and easy access to phone 
records raises the question of what phone companies are doing or 
not doing to protect our consumers’ records, and that is a very im- 
portant piece of this. 

So I look forward to passing this important legislation. Thank 
you. 

Ms. DeGette. The Chair recognizes the distinguished gentleman 
from Louisiana, Mr. Melancon. 

The gentleman waives. Are there any other Members who wish 
to make an opening statement? 

Statements will be accepted for the record as well as the text of 
H.R. 936. 

[H.R. 936 follows:] 



14 


I 


110th congress 

1st Session 


H. R. 936 


To prohibit fraudulent access to telephone records. 


IN THE HOUSE OF REPRESENTATUnSS 

Febeuary 8, 2007 

Mr. Dingell (for himself, Mr. Barton of Texas, Mr. M^yrkey, Mr. Upton, 
Mr. Rush, Mr. Stearns, Ms. ScHAitotYSKY, Mr. Boucher, Mr. Gor- 
don of Tennessee, Ms. EsHOO, Mr. Stupak, Mr, Gene Green of Texas, 
Ms. DeGette, Mrs. Capps, Mr. Doyxe, Ms. Sous, Mr. Gonzalez, Mr. 
INSLEE, Ms. Baldwtn, Ms. Hooley, Mr. Matheson, Mr. 
Butterfield, Mr. Fosseluv, Mr. Terry, Mr. Burgess, and Mr. 
Engel) introduced the following bill; which was referred to the Com- 
mittee on EnergY and Commerce 


A BILL 

To prohibit fraudulent access to telephone records. 

1 Be it enacted by the Senate and House of Representa- 

2 fives of the United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may be cited as the “Prevention of Fraudu- 

5 lent Access to Phone Records Act”. 



15 


2 

1 TITLE I— FEDERAL TRADE 

2 COMMISSION PROVISIONS 

3 SEC. 101. FRAUDULENT ACCESS TO CUSTOMER TELE- 

4 PHONE RECORDS. 

5 (a) Prohibition on Obtaining Customer Inpor- 

6 MATiON BY False Pretenses. — It shall be unlaY4iil for 

7 any person to obtain or attempt to obtain, or cause to 

8 be disclosed or attempt to cause to be disclosed to any 

9 person, customer proprietary network information relating 

10 to any other person by — 

11 (1) making a false, fictitious, or fraudulent 

12 statement or representation to an officer, employee, 

13 or agent of a telecommunications carrier; or 

14 (2) pro\dding any document or other informa- 

15 tion to an officer, employee, or agent of a tele- 

16 communications carrier that the person knows or 

17 should know to be forged, counterfeit, lost, stolen, or 

18 fraudulently obtained, or to contain a false, ficti- 

19 tious, or fraudulent statement or representation. 

20 (b) Prohibition on Solicitation op a Person to 

21 Obtmn Customer Information Under False Pre- 

22 TENSES. — -It shall be unlauffiil to request a person to ob- 

23 tain from a telecommunications carrier customer propri- 

24 etaiy network information relating to any third person, 

25 if the person making such a request knew or should have 


•hr 936 ra 



16 


3 

1 knomi that the person to whom such a request is made 

2 mil obtain or attempt to obtain such information in the 

3 manner described in subsection (a). 

4 (c) Prohibition on Sale or Other Disclosure 

5 OF Customer iNPORiLiTiON Obiluned Under False 

6 Pretenses. — It shall be unlawful for any person to sell 

7 or otheraise disclose to any person customer proprietary 

8 netwnrk information relating to any other person if the 

9 person selling or disclosing obtained such information in 

10 the manner described in subsection (a). 

1 1 SEC. 102. EXEMPTION. 

12 No proiision of section 101 shall be construed so as 

13 to prevent ary action by a law enforcement agency, or any 

14 officer, employee, or agent of such agency, from obtaining 

15 or attempting to obtain customer proprietary network in- 

16 formation from a telecommunications carrier in connection 

17 with the performance of the official duties of the agency, 

1 8 in accordance with other applicable laws. 

19 SEC. 103. ENFORCEMENT BY THE FEDERAL TRADE COM- 

20 MISSION. 

21 A ^nolation of section 101 shall be treated as a liola- 

22 tion of a rale defining an unfair or deceptive act or prac- 

23 tice prescribed under section 18(a)(1)(B) of the Fedei’al 

24 Trade Commission Act (15 U.S.C. 57a(a)(l)(B)). The 

25 Federal Trade Commission shall enforce this title in the 


•HR 936 IH 



17 


4 

1 same manner, by the same means, and mth the same ju- 

2 risdiction as though all applicable terms and p^o^isions of 

3 the Federal Trade Commission Act were ineoiporated into 

4 and made a part of this title. 

5 SEC. 104. DEFINITIONS. 

6 As used in tliis title — 

7 (1) the term “customer proprietary network in- 

8 formation” has the meaning given such term in sec- 

9 tion 222(j)(l) of the Communications Act of 1934 

10 (47 U.S.C. 222(j)(l)) (as redesignated by section 

11 203 of this Act); 

12 (2) the tenn “telecommunications carrier” — 

13 (A) has the meaning given such term in 

14 section 3(44) of the Communications Act of 

15 1934 (47 U.S.C. 153(44)); and 

16 (B) includes any proidder of real-time 

17 Internet protocol-enabled voice communications; 

18 and 

19 (3) the term “real-time Internet protocol-en- 

20 abled voice communications” means any service that 

21 is treated by the Federal Communications Commis- 

22 sion as a telecommunications sendee prmdded by a 

23 telecommunications carrier for purposes of section 

24 222 of the Communications Act of 1934 (47 U.S.C. 


•HH 936 ra 



18 


5 

1 222) under regulations promulgated pursuant to 

2 subsection (h) of such section. 

3 TITLE II— FEDERAL COMMU- 

4 NICATIONS COMMISSION 

5 PROVISIONS 

6 SEC. 201. FINDINGS. 

7 The Congress finds the follomng: 

8 (1) As our Nation’s communications networks 

9 become more ubiquitous and increasingly sophisti- 

10 cated, more indhdduals and industries nill be using 

11 such networks in gi’eater amounts to communicate 

12 and conduct commercial transactions. 

13 (2) The ease of gathering and compiling sen- 

14 sitive personal information as a result of such com- 

15 munications is becoming more efficient and common- 

16 place due to advances in digital teehnologj'’' and the 

17 widespread use of the Internet. 

18 (3) Ensuring the privacy of sensitive indhidual 

19 telephone calling records, both ivireline and vrreless, 

20 is of utmost importance. The information gathered 

21 and retained by communications providers can eon- 

22 vey details about intimate aspects of an individual’s 

23 life, including who they call, when they call, the du- 

24 ration of such calls, the frequency of their commu- 

25 iiications, information about their purchases, infor- 


•HR 936 IH 



19 


6 

1 matioiial inquiries, political or religious interests, or 

2 other affiliations. 

3 (4) Disclosure of personal telephone records can 

4 also lead to harassment, intiniidation, physical harm, 

5 and identitj^ theft. 

6 (5) The government has a compelling interest 

7 in protecting sensitive personal information eon- 

8 tained in customer telephone records and ensuring 

9 that commercial interests adequate^ protect such 

10 records in order to presence individual freedom, safe- 

11 guard personal privacy, and ensure trust in elee- 

12 tronic commerce. 

13 (6) Because customers have a proprietaiy inter- 

14 est in their sensitive personal information, customers 

15 should have some control over the use and disclosure 

16 of telephone calling records. 

17 (7) A telecommunications carrier may use ag- 

18 gregated data it has obtained from its customer 

19 databases to improve services, solicit new business, 

20 or market additional services to its customers. 

21 (8) A telecommunications carrier may commu- 

22 nieate to all consumers in order to broadly solicit 

23 new business, and may also target specific commu- 

24 nications to its own existing customers, without use 

25 or disclosure of detailed customer calling records 


•HR 936 ra 



20 


7 

1 and thus without the threat of compromising cus- 

2 tomer privacy. 

3 (9) The risk of compromising customer privacy 

4 is raised and increased wiienever additional entities 

5 or persons are permitted use of, or access to, or re- 

6 ceive disclosure of, customer calling records beyond 

7 the carrier with wiiieh the customer has an estab- 

8 lished business relationship. 

9 (10) A telecoimnunications carrier wiiicli ob- 

10 tains or possesses a customer’s calling records has a 

11 duty to safeguard the confidentiality of such cus- 

12 tomer’ s personal information. Detailed customer 

13 calling records describing the customer’s use of tele- 

14 communications services should not be publicly avail- 

15 able or offered for commercial sale. 

16 SEC. 202. EXPANDED PROTECTION FOR DETAILED CUS- 

17 TOMER RECORDS. 

18 (a) Confidentiality of Customer Informa- 

19 Tiox. — Paragraph (1) of section 222(c) of the Commu- 

20 nications Act of 1934 (47 U.S.C. 222(c)(1)) is amended 

21 to read as follows: 

22 “(1) Privacy requirements for tele- 

23 communications carriers. — 

24 “(A) In GENERAIj. — Except as required by 

25 la^v or as permitted under the following proA- 


•HE 936 IH 



21 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


8 

sions of this paragraph, a teleeommimications 
carrier that receives or obtains indiiddually 
identifiable customer proprietarj^ network infor- 
mation (including detailed customer telephone 
records) bj'^ virtue of its prowsion of a tele- 
communications sendee shall only use, disclose, 
or permit access to such information or records 
in the pronsiou by such carrier of — 

“(i) the telecommunications sendee 
from which such infonnation is derived; or 
“(ii) sendees necessary to, or used in, 
the provision of such telecommunications 
sendee, including the publishing of direc- 
tories. 

“(B) Keqcirements for disclosure op 

DETAILED INPOR.ALVTION. — telecommuiii- 
eations carrier may only use detailed customer 
telephone records through, or disclose such 
records to, or permit access to such records by, 
a joint venture partner, independent contractor, 
or any other third party (other than an affil- 
iate) if the customer has given exjjress prior au- 
thorization for tliat use, disclosure, or access, 
and that authorization has not been wdthdrami. 


■HR 936 IH 



22 


9 

1 “(C) Requirements for aittlmte use 

2 OP BOTH GENERAL ^iND DETAILED INPORMA- 

3 TION. — A telecommuilieatioiis carrier may not, 

4 except mth the appro\'al of a customer, use in- 

5 clmdually identitiable customer proprietaiy net- 

6 work information (including detailed customer 

7 telephone records) through, or disclose such in- 

8 formation or records to, or permit access to 

9 such information or records by, an affiliate of 

10 such carrier in the proiasion by such affiliate of 

11 the sendees described in clause (i) or (ii) of 

12 subparagraph (A). 

13 “(D) Requirements for partner and 

14 c^ontractor use op general informa- 

15 TION. — A telecommunications carrier may not, 

16 except with the approval of the customer, use 

17 individually identifiable customer proprietaiy 

18 network information (other than detailed cus- 

19 tomer telephone records) through, or disclose 

20 such information to, or permit access to such 

21 information by, a joint venture partner or inde- 

22 pendent contractor in the pronsion by such 

23 partner or contractor of the sendees described 

24 in clause (i) or (ii) of subparagraph (A). 


•HH 936 ra 



23 


10 

1 “(E) Access to mRELESS telephone 

2 NUMBERS. — A telecommunications carrier may 

3 not, except with prior express authorization 

4 fi’om the customer, disclose the wireless tele- 

5 phone number of any customer or permit access 

6 to the wireless telephone number of any cus- 

7 tomer.”. 

8 (b) Disclosure of Detailed iNFOitmTiON on 

9 Request by Customer. — S ection 222(e)(2) of such Act 

10 is amended bj^ inserting’ “(including a detailed customer 

11 telephone record)” after “customer proprietar\" network 

12 information”. 

13 (e) Aggregate Data. — Section 222(c)(3) of such 

14 Act is amended by adding at the end the following new 

15 sentence: “Aggi-egation of data that is conducted by a 

16 third part 3 ’ maj' be treated for purposes of this subsection 

17 as aggregation bj' the cariler if such aggregation is con- 

18 ducted in a secure manner under the control or super- 

1 9 vision of the carrier. ’ ’ . 

20 (d) Prohibition of SiVLE of General or De- 

21 TitiLED iNPOEiLtTiON. — Section 222(c) of such Act is fur- 

22 ther amended b\' adding at the end the following new^ para- 

23 graph: 

24 “(4) Prohibition op sale op general or 

25 DETxAILED iNFORikiATiON. — Except for the purposes 


•HR 986 IH 



24 


11 

1 for which use, disclosure, or access is permitted 

2 under subsection (d), it shall be unla^^ful for any 

3 person to sell, rent, lease, or otherwise make avail- 

4 able for remuneration or other consideration the cus- 

5 tomer proprietaiy nehvork information (including 

6 the detailed customer telephone records) of any cus- 

7 tomer.”. 

8 (e) Exceptions to Limitations on Disclosures 

9 OB^ Detailed Information. — Section 222(d) of such Act 

10 is amended — 

11 (1) bj^ striking “its agents” and inserting “its 

12 joint venture partners, contractors, or agents”; and 

13 (2) in paragraph (1), by inserting after “tele- 

14 communications sendees” the following: or pro- 

15 nde customer service with respect to telecommuni- 

16 cations sendees to which the customer subscribes”. 

17 SEC. 203. PREVENTION BY TELECOMMUNICATIONS CAR- 

18 RIERS OF FRAUDULENT ACCESS TO PHONE 

19 RECORDS. 

20 Section 222 of the Communications Act of 1934 (47 

21 U.S.C. 222) is further amended — 

22 (1) by redesignating subsection (h) as sub- 

23 section (j); 

24 (2) by inserting after subsection (g) the fol- 

25 lowing new’ subsections: 


•HR 936 m 



25 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


12 

“(h) Prevention of PimiDULENT Access to 
Phone Records. — 

“(1) Regulations. — ^Within 180 days after the 
date of eiiactmeiit of the Prevention of Fraudulent 
Access to Phone Records Act, the Commission shall 
prescribe regulations adopting more stringent secu- 
rity standards for customer proprietaiy network in- 
formation (including detailed customer telephone 
records) to detect and prevent violations of this sec- 
tion. The Commission — 

“(A) shall prescribe regulations — 

“(i) to require timely notice (written 
or electronic) to each customer upon 
breach of the regulations under this section 
with respect to customer proprietary net- 
work information relating to that cus- 
tomer; 

“(ii) to require timely notice to the 
Commission upon breach of the regulations 
under tliis section with respect to customer 
proprietary netrvork information relating to 
any customer; 

“(iii) to require periodic audits by the 
Commission of telecommunication carriers 


•HR 936 IH 



26 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


13 

and their agents to determine compliance 
mth this section; 

“(iv) to require telecommunieations 
carriers and their agents to maintain 
records — 

“(I) of each time customer pro- 
prietary^ network information is re- 
quested or accessed by, or disclosed 
to, a person purporting to be the cus- 
tomer or to be acting at the request 
or direction of the customer; and 

“(II) if such access or disclosure 
was granted to such a person, of how 
the person’s identity or authority was 
verified; 

“(v) to require telecommunieations 
carriers to establish a security policy that 
includes appropriate standards relating to 
administrative, technical, and phj>«ieal 
safeguards to ensure the security and eon- 
fidentiahty of customer proprietaiy net- 
work information; 

“(ty) to prohibit any telecommuni- 
eations carrier from obtaining or attempt- 
ing to obtain, or causing to be disclosed or 


•HR 936 IH 



27 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


14 

attempting to cause to be disclosed to that 
carrier or its agent or employee, customer 
proprietai^' network information relating to 
any customer of another carrier — 

“(I) by using a false, fictitious, 
or fraudulent statement or representa- 
tion to an officer, employee, or agent 
of another telecommmiications carrier; 
or 

“(II) by making a false, ficti- 
tious, or fraudulent statement or rep- 
resentation to a customer of another 
telecommunications carrier; and 
“(Adi) only for the purposes of this 
section, to treat as a telecommunications 
sendee pro\dded by a telecommunications 
carrier any real-time Internet protocol-en- 
abled Auiee communications offei’ed by any 
person to the public, or such classes of 
users as to be effectively aAmlable to the 
public, that allows a user to originate traf- 
fic to, or terminate traffic from, the public 
sudtehed telephone net\Anrk; and 
“(B) shall consider prescribing regula- 
tions — 


•HR 936 IH 



28 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


15 

“(i) to require telecommunications 
earriei's to institute customer-specific iden- 
tifiers in order to access customer propri- 
etaiy network information; 

“(ii) to require encryption of customer 
proprietary network information data or 
other safeguards to better secure such 
data; and 

“(hi) to require deletion of customer 
proprietary' network information data after 
a reasonable period of time if such data is 
no longer necessary' for the purpose for 
which it was collected or for the purpose of 
an exception contained in section (d), and 
there ai’e no pending requests for access to 
such iirformation. 

“(2) Reports. — 

“(A) Assessment and recommenda- 
tions. — ^Within 12 months after the date on 
which the Commission’s i*egulations under para- 
graph (1) are prescribed, and again not later 
than 3 years later, the Commission shall submit 
to the Committee on Energy' and Commerce of 
the House of Representatives and the Com- 


•HR 936 IH 



29 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


16 

mittee on Commerce, Science, and Transpor- 
tation of the Senate a report containing — 

“(i) an assessment of the efficacy and 
adequacy of the regulations and remedies 
pro-^dded in accordance with this subsection 
in protecting customer propiietary network 
information; 

“(ii) an assessment of the efficacy and 
adequacy of telecommunications caniers’ 
safeguards to secure such data, securit}" 
plans, and notifieation procedures; and 

“(iii) any recommendations for addi- 
tional legislative or regulatoiy action to ad- 
dress threats to the privacy of customer in- 
formation. 

“(B) Annual report. — The Federal 
Communications Commission shall submit to 
Congress an annual report containing — 

“(i) the number and disposition of all 
enforcement actions taken pursuant to this 
subsection; and 

“(ii) the number and tjqie of notifica- 
tions received under paragraph (l)(A)(ii) 
and the methodology', including the basis 
for the selection of carriers to be audited. 


•HR 936 IH 



30 


17 

1 and the results of each audit conducted 

2 under paragraph (l)(A)(iii). 

3 “(3) Dual regulation prohibited. — ^Any 

4 person that is treated as a telecommunications car- 

5 rier pro\dding a telecommunications sendee mth re- 

6 speet to the offering of real-time Internet protocol- 

7 enabled voice communications by the regulations 

8 prescribed under paragraph (l)(A)(\di) shall not be 

9 subject to the pronsions of section 631 with respect 

10 to the offering of such communications. 

11 “(i) Forfeiture Penalties. — 

12 “(1) Increased PENAi/riES. — In any case in 

13 which the \iolator is determined by the Commission 

14 under section 503(b)(1) to have violated this section 

15 or the regulations thereunder, section 503(b)(2)(B) 

16 shall be applied — 

17 “(A) by substituting ‘$300,000’ for 

18 ‘$100,000’; and 

19 “(B) by substituting ‘$3,000,000’ for 

20 ‘$ 1 , 000 , 000 ’. 

21 “(2) No FIRST WARNINGS.— Paragraph (5) of 

22 section 503(b) shall not apply to the determination 

23 of forfeiture liability mider such section vith respect 

24 to a ^dolation of this section or the regulations there- 


•HR 936 ra 



31 


18 

1 under by any telecommunications carrier or anj" 

2 agent of such a carrier.”; and 

3 (3) in subsection (g), by striking “subsection 

4 (i)(3)(A)” and inserting “subsection (j)(3)(A)”. 

5 SEC. 204. DEFINITIONS. 

6 Subsection (j) of section 222 of the Communications 

7 Act of 1934 (47 U.S.C. 222(j)), as redesignated by section 

8 203(1) of this Act, is amended by adding at the end the 

9 follo\ring new paragraphs: 

10 “(8) DETiVILED CUSTOMER TELEPHONE 

11 RECORD. — The term ‘detailed customer telephone 

12 record’ means customer proprietary network infor- 

13 mation that contains the specific and detailed des- 

14 tinations, locations, duration, time, and date of tele- 

15 communications to or from a customer, as tj^pically 

16 contained in the bills for such sendee. Such term 

17 does not mean a^yegate data or subscriber list in- 

18 formation. 

19 “(9) Wireless telephone number. — The 

20 term ‘mreless telephone number’ means the tele- 

21 phone number of a subscriber to a commercial mo- 

22 bile sendee.”. 

O 


•HB 936 IH 



32 


Ms. DeGette. I would like to welcome our panel today of distin- 
guished witnesses, most especially our former colleague, Mr. 
Largent, who we are delighted to have appear in front of the com- 
mittee. The witnesses are now recognized, and we will start with 
Ms. Lydia Fames. 

Ms. Fames. 

STATEMENT OF LYDIA PARNES, DIRECTOR, BUREAU OF 
CONSUMER PROTECTION, U.S. FEDERAL TRADE COMMISSION 

Ms. Farnes. Good morning, Madame Chairman, Ranking Mem- 
ber Barton, members of the committee. 

I appreciate your invitation to appear today to discuss the pri- 
vacy and security of consumers’ telephone records. 

Although my written statement is that of the Commission, my 
oral testimony and responses to questions reflect my own views 
and not necessarily those of the Commission or any individual com- 
missioner. 

Frotecting the privacy and security of consumer-sensitive per- 
sonal information is one of the Commission’s highest priorities, and 
aggressive law enforcement is at the center of our efforts to protect 
consumers’ telephone call records from pretexting. 

Last May, the Commission announced five lawsuits against 12 
defendants who obtained and sold consumers’ telephone records 
without their knowledge or authorization. The Commission alleged 
that these practices were unfair and prohibited by section 5 of the 
FTC Act. In each of these cases, the defendant advertised on its 
Web site that it could obtain confidential, customer phone records 
from telecommunications carriers for fees ranging from $65 to 
$180. 

To date, the Commission has settled two of these cases, obtaining 
strong, permanent injunctions that bar the defendants from selling 
phone records or personal information taken from those records. In 
addition, the settlements require the defendants to disgorge their 
profits. The remaining three cases are still in active litigation. 

These five cases were the culmination of extensive investigations 
of this industry. Commission staff surfed the Internet for compa- 
nies that offer to sell consumers’ phone records, sent warning let- 
ters, and then identified appropriate targets for investigation and 
completed undercover purchases of these records. The Commission 
worked closely with the Federal Communications Commission in 
developing these cases. We are committed to coordinating our work 
on this issue, as we have done successfully in other areas. 

Last month, the Commission filed a sixth case against six de- 
fendants that allegedly conducted or directed actual pretexting. 
Again, the FTC alleged that the defendants obtained and sold con- 
sumers’ confidential phone records without their knowledge or con- 
sent. This case connects the actual pretexters to the middlemen 
who sell the records to third parties. In addition to alleging that 
the unauthorized sale of phone records is an unfair practice, the 
FTC’s complaint alleges that the defendants engaged in deception 
by obtaining the records through the use of fraud and misrepresen- 
tations. 

These telephone-pretexting cases follow a long line of actions 
against defendants charged with the pretexting of financial records. 



33 


We filed our first financial pretexting case in 1999 against a com- 
pany that offered to provide consumers’ bank account numbers and 
balances for a fee. Congress later enacted the Gramm-Leach-Bliley 
Act, which expressly prohibits pretexting for financial records. The 
FTC has followed up with more than a dozen cases. 

Let me turn briefly to the subject of legislation. 

The proposed Phone Records Act contains several important pro- 
visions that would assist the Commission in combating phone 
pretexting. 

First, it applies not only to pretexters, but to those who solicit 
their services and know, or should know, that the records are ob- 
tained through false pretenses. Second, it grants the FTC the 
power to seek civil penalties against violators. And third, it con- 
tains an important exemption for law enforcement. These provi- 
sions would provide the Commission with useful, additional tools 
for combating telephone records pretexting. 

In addition to the Phone Records Act, two recently-passed stat- 
utes will assist in the fight against phone pretexting. 

First, in December 2006, Congress enacted the U.S. Safe Web 
Act, which allows greater cooperation and information sharing be- 
tween the Commission and its counterparts in other countries. The 
U.S. Safe Web Act will assist the Commission in pursuing data bro- 
kers, who are operating outside the United States. Second, Con- 
gress passed the Telephone Records and Privacy Protection Act, 
which criminalizes obtaining confidential records by making false 
statements to a telephone service provider. In light of this new law, 
we anticipate developing criminal law enforcement referrals to our 
sister agency, the Department of Justice. 

Again, thank you for the opportunity to testify today. We look 
forward to working with the committee and its staff on this very 
important issue, and I would be happy to answer any questions you 
may have. 

[The prepared statement of Ms. Parnes follows:] 



34 


PREPARED STATEMENT OF 
THE FEDERAL TRADE COMMISSION 


Before the 


COMMITTEE ON ENERGY AND COMMERCE 
UNITED STATES HOUSE OF REPRESENTATIVES 


on 


“Combating Pretexting: H.R. 936, Prevention of Fraudulent 
Access to Phone Records Act” 


March 9, 2007 



35 


I. Introduction 

Chairman Dingell, Ranking Member Barton, and members of the Committee, I am Lydia 
Pames, Director of the Bureau of Consumer Protection at the Federal Trade Commission (“FTC” 
or “Commission”).’ I appreciate the opportunity to discuss the practice of obtaining 
unauthorized access to consumers’ sensitive information through fraud, a practice known as 
“pretexting,” as well as the Commission’s significant work to protect the privacy and security of 
telephone records and other types of sensitive consumer information. I also appreciate the 
opportunity to comment on the proposed Prevention of Fraudulent Access to Phone Records Act, 
H.R. 936. The Committee’ s work in this area has been important in protecting consumers. 

Ensuring the privacy and security of consumers’ personal information is one of the 
Commission’s highest priorities. Individuals or companies that procure throu^ pretexting or 
sell on the open market confidential consumer information without the consumer’ s knowledge or 
consent not only violate the law, but they undermine consumers’ confidence in the marketplace 
and in the security of their sensitive data. Accordingly, the Commission has used its full arsenal 
of tools to attack the pretexters and the brokers who sell pretexted information. Since 2006, the 
Commission initiated a half dozen law enforcement actions against onUne data brokers and 
pretexters of confidential consumer telephone records. The Commission also has developed and 
disseminated a variety of new online and written materials to educate consumers about protecting 
their sensitive personal information in general and from pretexting in particular. 

Today, I will first discuss the FTC’s efforts to protect consumers from the sale of phoqe 


‘ The views expressed in this statement represent the views of the Commission. 
My oral testimony and responses to questions reflect my own views and do not necessarily 
represent the views of the Commission or any individual Commissioner. 


1 



36 


records obtamed through pretexting. Next, I will provide a brief history of the FTC’s 
enforcement efforts in the area of pretexting for financial information. I will then address the 
provisions of H.R. 936. 

n. FTC Enforcement Efforts Against Firms Selling Telephone Records 

Aggressive law enforcement is at the center of the FTC’s efforts to protect consumers’ 
telephone call records from pretexting. The acquisition of such records by unauthorized third 
parties is a serious intrusion into consumers’ privacy that presents a significant risk of harm. 
Evidence obtained in the Commission’s law enforcement actions reveals truly horrifying 
incidents of stalking and harassment of consumers whose call records were pretexted.^ 

Last May, the Commission announced an initial wave of five lawsuits in federal courts 
across the country against online data brokers, alleging that the defendants had engaged in unfair 
practices, prohibited by Section 5 of the FTC Act,^ when they obtained and sold consumer 


^ Several consumers whose phone records were obtained and sold by the defendants 
in one of the FTC’s pending phone pretexting cases have submitted signed declarations, attesting 
that they have been stalked and physically threatened by, for example, a former co-worker, an ex- 
spouse. and an ex-boyfrtend. In addition to the real threat posed to their safety, these consumers 
have spent significant time and hundreds of dollars changing phone numbers or service 
providers. See Br. of PI. FTC in Supp. of Mot. for Summ. J. at 8-14, FTC v. AccuSearch, Inc., 

No. 06-CV-0105 (D. Wyo. Jan. 22, 2007). 

In addition, there have been media reports of other incidents of pretexting that led to 
harm. One data broker reportedly sold home phone numbers and addresses of Los Angeles 
Police Department detectives to suspected mobsters, who then used the information in an 
apparent attempt to intimidate the detectives and their families. See, e.g., Peter Svensson, 

Calling Records Sales Face New Scrutiny, Wash. Post, Jan. 18, 2006, available at 
www.washingtonpost.com/wD-dvn/content/ article/2006/01/1 8/AR200601 1 801 659.html . 

^ 15 U.S.C. § 45(a). An act or practice is unfair if it: (1) causes or is likely to cause 

consumers substantial injury; (2) the injury is not reasonably avoidable by consumers; and (3) 
the injury is not outweighed by countervailing benefits to consumers or competition. Id. at § 
45(n). Under Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), the Commission has the authority 
to file actions in federal district court to obtain injunctions and other equitable relief against those 


2 



37 


telephone records without the consumer’s knowledge or authorization.* In each of these cases, 
the defendant advertised on its website that it could obtain confidential customer phone records 
from telecommunications carriers for fees ranging from $65 to $ 1 80. The complaints alleged 
that the defendants, or persons they hired, obtained this information by using false pretenses, 
including posing as the carrier’s customer, to induce the carrier’s employees to disclose the 
records. 

To date, the Commission has settled two of these cases, obtaining permanent injrmctions 
that bar the defendants from selling customer phone records or consumer personal information 
derived from such records.’ In addition, the settlements require the defendants to disgorge the 
profits they derived from the alleged illegal operations.* The remaining three cases are still in 
active htigation. 

The FTC’s first wave of phone pretexting cases was the culmination of extensive 
investigations of this industry. Commission staff surfed the Internet for companies that offered 
to sell consumers’ phone records, then identified appropriate targets for investigation and 


engaged in violations of Section 5. 

* FTC V. Info. Search, Inc., No. 1:06-CV-01099-AMD (D. Md. filed May I, 2006); 
FTC V. AccuSearch, Inc., No. 06-CV-0105 {D. Wyo. filed May 1, 2006); FTCv. CEO Group, 
Inc., No. 06-60602 (S.D. Fla. filed May 1, 2006); FTC v. 77 Investigations, Inc., No. EDCV06- 
0439 VAP (C.D. Cal. filed May 1, 2006); FTC v. Integrity Sec. and Investigation Serve., Inc., 
No. 2:06-CV-241-RGD-JEB (E.D. Va. filed May 1, 2006). 

’ FTC V. Integrity Sec. and Investigation Servs., Inc., supra note 4 (final judgment 
entered Oct. 30, 2006) available at 

www.ftc.gOv/os/caselist/pretextingsweep/061005isisstipfinalord.Ddf: and FTC v. Info. Search, 
Inc., supra note 4 (final judgment entered Feb. 22, 2007). 

* The FTC does not have authority to obtain civil penalties in these cases, and 
therefore is limited to the equitable remedy of disgorgement. As currently drafted, H.R. 936 
would authorize the Commission to seek civil penalties. 


3 



38 


completed undercover purchases of the records. For some of these companies, staff sent warning 
letters and followed up later to ensure that they were no longer selling consumer phone records. 
Other companies became targets for enforcement action, as described above. 

The Commission has been assisted greatly in its efforts by the Federal Communications 
Commission, which has jurisdiction over telecommunications carriers subject to the 
Telecommunications Act.’ Our two agencies are committed to coordinating otir work on this 
issue, as we have done successfully in enforcing the “National Do Not Call” implementation 
legislation. 

Building upon evidence gathered in its initial cases, last month the Commission filed a 
sixth case in federal district court in Florida against several defendants that allegedly conducted 
or directed the actual pretexting and obtained consumers’ phone records on behalf of others.* 


' Consumer telephone records are considered “customer proprietary network 
information” under the Telecommunications Act of 1996 (“Telecommunications Act”), which 
amended the Communications Act, and accordingly are afforded privacy protections by the 
regulations under that Act. See 42 U.S.C. § 222; 47 C.F.R. §§ 64.2001- 64.2009. The 
Telecommunications Act requires telecommunications carriers to secure the data, but does not 
specifically address pretexting to obtain telephone records. The FTC’s governing statute 
exempts from Commission jurisdiction common carrier activities that are subject to the 
Communications Act. 15 U.S.C. § 46(a). The Commission recommended that Congress remove 
this exemption at its two most recent reauthorization hearings and in testimony on FTC 
jurisdiction over broadband Internet access service before the Senate Judiciary Committee in 
June 2006. See httD://www.ftc.2ov/os/2003/06/030611reanttLhr.htm: 
http://www.ftc.gOv/os/2003/06/030611reauthsenate.htm; see also 
http://www.ftc. gov/os/203/06/0306 1 1 learvsenate.htm: 
httD://www.ftc.gov/os/2002/07/sfareanthte.st.htm : 

http://www.ftc.gov/os/2006/06/D052103CommissionT estimonvReRroadhandrntemc!tAcRss 
Services06 1 42006Senate.pdf. 

* FTC V. Action Research Group, Inc., No. 6:07-cv-227-Orl-22JGG, (M.D. Fla. 
filed Feb. 14, 2007). Several of the defendants named in the FTC’s complaint are also the 
subject of federal and state criminal actions in CaUfomia, stemming fixtm the well-publicized 
phone records pretexting of Hewlett-Packard board members and journalists. See, e.g.. Matt 
Richtel, With a Little Stealth, Just About Anyone Can Get Phone Records, NY Times, Sep. 7, 


4 



39 


The FTC alleged that Action Research Group and its principals and agents obtained and sold 
consumers’ confidential phone records without their knowledge or consent. This case connects 
the phone records pretexters to the middlemen who sell the records to third parties. In addition to 
allegiag that the unauthorized sale of phone records is an unfair practice, the FTC’ s complaint 
alleges that the defendants engaged in deceptive practices by obtaining the records through the 
use of fraud and misrepresentations. The agency has asked the court to stop the conduct and to 
order the defendants to give up their ill-gotten gains, 
in. FTC’s History of Combating Financial Pretexting 

In addition to the recent cases involving telephone records pretexting, the Commission 
has brought actions under Section 5 of the FTC Act and Section 521 of the Gramm-Leach-Bliley 
Act (“GLBA”) against businesses and individuals who used false pretenses to obtain and sell 
financial information without consumer consent. 

The Commission filed its first pretexting case against a company that offered to provide 
consumers’ financial records to anybody for a fee.’ According to the complaint, the company’s 
employees allegedly obtained these records from financial institutions by posing as the consumer 
whose records were being sought. The complaint charged that this practice was both deceptive 
and unfair under Section 5 of the FTC Act. 

In 1999, Congress passed the GLBA, which provided another tool to attack the 


2006, available at 

http://www.nytimes.com/2006/09/07/teohnology/07phone.html?ex=1158465600&en=2f20498c7 

fcc7e5b&ei=5070. 

’ FTC V. James J. Rapp, No. 99WM-783 (D. Colo, final judgment entered June 22, 
2000), available at http://www.ftc.gov/os/2000/06/toucbtoneorder . 


5 



40 


unauthorized acquisition of consumers’ financial information."’ Section 521 of the GLBA 
prohibits “false, fictitious, or firaudulent statement[s] or representation[s] to an officer, employee, 
or agent of a financial institution” to obtain customer information from a financial institution.” 

To ensure awareness of and compliance with the then-new anti-pretexting provisions of 
the GLBA, the Commission launched Operation Detect Pretext in 2001 Operation Detect 
Pretext combined a broad monitoring program, the widespread dissemination of industry 
warning notices, consumer education, and aggressive law enforcement. 

In the initial monitoring phase of Operation Detect Pretext, FTC staff conducted a “surf’ 
of more than 1,000 websites and a review of more than 500 advertisements in print media to 
identify firms offering to conduct searches for consumers’ financial data. The staff found 
approximately 200 firms that offered to obtain and sell consumers’ asset or bank account 
information to third parties. The staff then sent notices to these firms, advising them that their 
practices were subject to the FTC Act and the GLBA and providing information about how to 
comply with the law.” 

The Commission followed its education campaign with aggressive law enforcement, 


15 U.S.C. §§6821-6827 
" /d. at § 6821. 

” FTC press release, “As Part of Operation Detect Pretext, FTC Sues to Halt 

Pretexting” (Apr. 18, 2001), available at httD://www.ftc.gov/opa/2001/'04/nretext.htm . 

” FTC press release, ‘TTC Kicks Off Operation Detect Pretexf ’ (Jan. 31, 2001), 

available at http://www.ftc.gov/ona/2001/01/oretexting.htm . In conjunction with the warning 
letters, the Commission released a consumer alert. Pretexting: Your Personal Information 
Revealed, describing how pretexters operate and advising consumers on how to avoid having 
their information obtained through pretexting, available at 
htto://www.ftc.gov/hcn/conline/nub.s/credit/pretext.htm . 


6 



41 


including a trio of law enforcement actions filed in 2001 against information brokers. In each 
of these cases, the defendants advertised that they could obtain non-public, confidential financial 
information, including information on checking and savings account numbers and balances, 
stock, bond, and mutual fund accounts, and safe deposit box locations, for fees ranging firom 
$100 to $600. Based on evidence obtained in undercover investigations, the FTC alleged that the 
defendants or persons they hired called banks and posed as customers to obtain balances on 
checking accounts. The defendants in each of the cases ultimately agreed to settlements that 
barred them fi'om further violations of the law and required them to surrender ill-gotten gains.** 
Since GLBA’s passage, the FTC has brought over a dozen cases alleging violations of Section 
521 in various contexts.'* 

Because the anti-pretexting provisions of the GLBA provide for criminal penalties, the 
Commission also may refer financial pretexters to the U.S. Department of Justice for criminal 
prosecution, as appropriate. Following one such referral, an individual pled guilty to one count 
of pretexting under the GLBA. ” 

IV. FTC Education and Outreach 


FTC V. Victor L. Guzzetta, No. CV-01-233S (E.D.N.Y. final judgment entered 
Feb. 25, 2002); FTC v. Info. Search, Inc., No. AMD-01-1121 (D. Md. final judgment entered 
Mar. 15, 2002); FTC v. Paula L. Garrett, No. H 01-1255 (S.D. Tex. final judgment entered Mar. 
25, 2002). 

See www.ftc.gOv/oDa/2002/03/nretextuiEsettlements.htm . 

See www.ftc.gov/Drivacv/Drivacvintiatives/pretexting enf.htm. 

*’ United States v. Peter Easton, No. 05 CR 0797 (S.D.N.Y. final judgment entered 
Nov. 17,2005). 


7 



42 


In addition to its law enforcement efforts, the Commission has an extensive program to 
teach consumers and businesses better ways to protect sensitive data. For example, in February 
2006, the Commission released a consumer alert, Pretexting: Your Personal Information 
Revealed, describing how pretexters operate and advising consumers on how to avoid having 
their information obtained through pretexting. 

The FTC also recently launched a nationwide identity theft education program, “Avoid 
ID Theft: Deter, Detect, Defend,” which broadly advises consumers on how to avoid becoming 
victims of identity theft. The message for consumers is that they can (1) deter identity thieves by 
safeguarding their personal information; (2) detect suspicious activity by routinely monitoring 
their financial accounts, billing statements, and credit reports; and (3) defend against ID theft as 
soon as they suspect it. The Deter, Detect, Defend campaign has been very popular. The FTC 
has distributed more than 1.5 million brochures to consumers and 30,000 kits to employers, 
community groups, members of Congress, and others to educate their constituencies. The kits 
contain a victim recovery guide, a training booklet, a guide to talking about identity theft, 
presentation slides, an easy-to-read brochure, and a 1 0-minute video that organizations can use to 
educate their employees, customers, and communities about identity theft. 

The FTC also sponsors an innovative multimedia website, OnGuardOnline, designed to 
educate consumers about basic computer security.'® The website provides information on 
specific topics such as phishing, spyware, and identity theft. Since its launch in late 2005, 
OnGuardOnline has attracted more than 3.5 million visits. All of these materials are part of the 


See www.onguardonline.gov. 


8 



43 


Commission’s comprehemsive library on consumer privacy, data security, and identity theft.'* 

V. The Prevention of Fraudulent Access to Phone Records Act, H.R. 936 

As described above, the Commission has used its jurisdiction under Section 5 of the FTC 
Act to take action against individuals and business engaged in the pretexting or sale of 
confidential phone records obtained through pretexting. Although Section 5 is a powerful tool, 
the Commission continues to support the enactment of more specific prohibitions against phone 
pretexting that provide additional remedies for violations.*" 

The proposed Prevention of Fraudulent Access to Phone Records Act {the “Phone 
Records Act”) contains several important components that would assist the Commission in 
combating phone pretexting. First, in addition to prohibiting pretexting itself, the Phone Records 
Act would extend liability to individuals who solicit such records and knew or should have 
known that the records would be obtained through false pretenses. The Commission agrees that 
those who solicit pretexting should be held responsible, and that the knowledge standard 
contained in the Phone Records Act is the appropriate one, because it would prevent data brokras 
from turning a “blind eye” to the manner in which their sources obtain phone records. 

The Phone Records Act also would allow the FTC to recover civil penalties from 
violators. Often, monetary penalties can be the most effective civil remedy in privacy-related 
actions and, as noted earlier, the Commission currently is unable to obtain this remedy in phone 
pretexting cases brought under the FTC Act. Finally, the Phone Records Act contains an 
important exemption for law enforcement agencies in connection with their official duties. 

See www.ftc.gov/nrivacv/index.html. 

*" See Commission Testimony from the 109“' Congress before this Committee, 
available at htto://www.ftc.gov/opay2006/09/houseenergv.htm . 


9 




44 


In addition to the Phone Records Act, two recently passed statutes will assist in the fight 
against phone pretexting. First, in December 2006, Congress passed and the President signed the 
“US SAFE WEB Act” into law.’' This Act allows greater cooperation and information sharing 
between law enforcers in the United States and their counterparts in other countries. In 
developing the Commission’s phone pretexting cases, FTC staff learned that some websites 
offering consumer telephone records were registered to foreign addresses. The US SAFE WEB 
Act will assist the Commission in pursuing data brokers who are operating outside the United 
States. 

Second, Congress recently approved and, on January 12, 2007, President Bush signed 
into law the Telephone Records and Privacy Protection Act,^’ which criminalizes obtaining 
confidential records by making false statements to a telephone service provider. The 
Commission anticipates that its ongoing actions against phone records pretexting will lead to 
criminal law enforcement referrals to our sister agency, the Department of Justice. 

VI. Conclusion 

Protecting the privacy of consumers’ telephone records requires a multi-faceted ^proach; 
coordinated law enforcement by government agencies against the pretexters; efforts by the 
telephone carriers to protect their records firom intrusion; and outreach to educate consumers on 
actions they can take to protect themselves. The Commission has been at the forefront of efforts 
to safeguard consumer information and is committed to continuing its work in this area. The 

Commission looks forward to continuing to work with this Committee to protect the privacy and 
security of sensitive consumer information. 

The Undertaking Spam, Spyware, and Fraudulent Enforcement with Enforcers 
Across Borders Act of 2006, Pub. L. No. 109-455, 120 Stat. 3372. 

” Telephone Records and Privacy Protection Act, Pub. L. No: 109-476. 


10 



45 


Ms. DeGette. Thank you. 

Mr. Navin. 

STATEMENT OF THOMAS NAVIN, CHIEF, WIRELINE BUREAU, 
FEDERAL COMMUNICATIONS COMMISSION 

Mr. Navin. Thank you. 

Good morning, Madame Chairman, Ranking Member Barton, 
and members of the committee. 

I appreciate the opportunity to speak with you today about the 
ongoing work of the Federal Communications Commission to en- 
sure the privacy of American consumers’ sensitive telephone call 
records. 

Section 222 of the Communications Act requires telecommuni- 
cations carriers to protect the confidentiality of their customers’ 
personal information collected in the course of providing telephone 
service. This information is commonly referred to as “customer pro- 
prietary network information” or CPNI. As you are aware, third 
parties, known as “data brokers” or “pretexters”, had invaded con- 
sumers’ privacy by gaining unauthorized access to this very per- 
sonal data for profit. 

The Commission has taken several steps to curb the unauthor- 
ized disclosures and sale of consumers’ personal telephone records. 
Specifically, FCC Chairman Martin has proposed imposing stricter 
security standards for CPNI for all providers of telephone service, 
including mandatory passwords for accessing customer call records. 
Further, the Commission has investigated, and will continue to in- 
vestigate, this unlawful activity and take strong enforcement action 
to address any violations by telecommunications carriers of their 
obligations to protect CPNI. 

The Commission began its investigation of the data broker prob- 
lem in late summer 2005. In August 2005, the Electronic Privacy 
Information Center, or EPIC, filed a petition for rulemaking at the 
FCC to address the sufficiency of carrier privacy practices in light 
of the fact that online data brokers were selling consumers’ private 
telephone data. In early 2006, the Commission issued a Notice of 
Proposed Rulemaking, inviting comment on the EPIC petition and 
whether additional Commission rules are necessary to strengthen 
the carriers’ safeguards for customers’ records. 

Based on the evidence submitted in its rulemaking proceeding, 
and gathered in its enforcement investigations, the Commission 
has learned about the methods that data brokers routinely use to 
seek to obtain unauthorized access to CPNI. The Commission also 
has learned of a variety of steps carriers can take to further protect 
the privacy of customer account information. 

Significantly, we also recognize the importance of this issue to 
law enforcement, particularly in light of the new Telephone 
Records and Privacy Protection Act of 2006, which makes 
pretexting a criminal offense. The Commission has an item for con- 
sideration before it which would address these issues by requiring 
providers to adopt additional safeguards to protect customers’ 
phone record information from unauthorized access and disclosure. 

The chairman has circulated an order that, for example, proposes 
prohibiting providers from releasing call detail information except 
when the customer provides a password, or by sending it to an ad- 



46 


dress of record or by calling the customer at the telephone of 
record. To protect against possible efforts to circumvent these re- 
quirements, the order proposes to require carriers to notify the cus- 
tomer immediately when information such as passwords or the ad- 
dress of record is created or changed. The chairman also proposed 
a notification process for both law enforcement and customers in 
the event of a breach of CPNI. 

In addition, Chairman Martin proposed to modify our current 
rules to require providers to obtain affirmative customer consent 
before disclosing any of that customer’s phone record information 
to a provider’s joint venture partner or independent contractor for 
marketing purposes. Further, the order proposes to extend all 
CPNI obligations to interconnected voice over Internet protocol, or 
VoIP, providers. These additional privacy safeguards should sharp- 
ly limit pretexters’ ability to obtain unauthorized access to CPNI. 

The Commission also has used its enforcement authority to help 
address this problem. The Commission has issued subpoenas to a 
number of data brokers seeking information about how companies 
obtained phone record information and then sold it. 

Additionally, the Commission has investigated telecommuni- 
cations carriers’ practices to fulfill section 222’s duty to protect cus- 
tomer information through numerous meetings with the carriers, a 
review of the carriers’ annual section 222 compliance certifications, 
and through formal letters of inquiries that have been issued to 
nearly 20 carriers. 

Throughout these investigations, the Commission closely coordi- 
nated with the Federal Trade Commission staff. In addition, the 
Commission has offered assistance to State attorneys general in 
their efforts to combat pretexting. The Commission takes very seri- 
ously any breach of consumers’ privacy, as well as carriers’ statu- 
tory duty to protect the customer information that they collect. The 
Commission also remains committed to strengthening its rules as 
warranted to help ensure that carriers implement adequate prac- 
tices to protect their customers’ privacy, as required by the Com- 
munications Act. We, likewise, will continue to coordinate with the 
Federal Trade Commission, State and Federal attorneys general, 
and other law enforcement authorities about our findings, and 
work with them in any way we can to take legal action against 
data brokers and pretexters. We look forward to working collabo- 
ratively with the members of this committee and other Members of 
Congress to ensure that consumers’ personal phone data remains 
confidential. 

Thank you for the opportunity to testify, and I would be pleased 
to respond to your questions. 

[The prepared statement of Mr. Navin follows:] 



47 


Written Statement 
of 

Thomas J. Navin 

Chief, Wireline Competition Bureau 
Federal Communications Commission 


Before the 

Committee on Energy and Commerce 
U.S. House of Representatives 


On 

“Combating Pretexting: H.R. 936, Prevention of Fraudulent Access to 

Phone Records Act” 


March 9, 2007 



48 


Good morning, Chairman Dingell, Ranking Member Barton, and members of the 
Committee. I appreciate the opportunity to speak with you today about the ongoing work 
of the Federal Communications Commission to ensure the privacy of American 
consumers’ sensitive telephone call records. 

Section 222 of the Communications Act of 1934, as amended, requires 
telecommunications carriers to protect the confidentiality of their customers’ personal 
information collected in the course of providing telephone service. This information is 
commonly referred to as customer proprietary network information or CPNI. As you are 
aware, third parties, known as “data brokers” and “pretexters,” have invaded consumers’ 
privacy by gaining unauthorized access to this very personal data for profit. 

The Commission has taken several steps to curb the unauthorized disclosures and 
sale of consumers’ personal telephone records. Specifically, FCC Chairman Martin has 
proposed imposing stricter security standards for CPNI for all providers of telephone 
service, including mandatory passwords for accessing customer call records. Further, the 
Commission has investigated, and will continue to investigate, this unlawful activity and 
take strong enforcement action to address any violations by telecommunications carriers 
of their obligations to protect CPNI, 

Background 

Congress enacted section 222 of the Act, as part of the Telecommunications Act 
of 1996 amendments, for the express purpose of protecting consumers’ privacy. 
Specifically, section 222 of the Act provides that telecommunications carriers have a duty 
to protect the confidentiality of CPNI, which includes, among other things, customers’ 


2 



49 


calling activities and history, and billing records. The Act limits carriers’ ability to use 
customer phone records even for their own marketing purposes without appropriate 
consumer approval and safeguards. Furthermore, unless otherwise required by law, the 
Act prohibits carriers from using, disclosing, or permitting access to this information 
without customer approval if the use or disclosure is not in connection with the service 
being provided. The Commission’s rules also provide that a telecommunications carrier 
“must have an officer, as an agent of the carrier, sign a compliance certificate on an 
annual basis stating that the officer has personal knowledge that the company has 
established operating procedures that are adequate to ensure compliance’’ with the 
Commission’s CPNI rules. 

The Commission began its investigation of the data broker problem in late 
Summer 2005, and in August 2005, the Electronic Privacy Information Center (“EPIC”) 
filed a petition for rulemaking to address the sufficiency of carrier privacy practices in 
light of the fact that online data brokers were selling consumers’ private telephone data. 
As described in the petition, numerous websites were advertising the sale of personal 
telephone records, including records of calls to and from a particular phone number and 
the duration of such calls, for wireless and wireline customers. Following the filing of 
EPIC’S petition, the Commission moved to consider rules that impose stricter security 
standards on all providers of telephone service concerning sensitive customer 
information. The Commission also took action to investigate these activities under the 
existing CPNI rules. 

On February 1, 2006, Chairman Martin testified before this Committee and in 
response to a request by several members on how best to combat this problem, suggested 


3 



50 


that Congress make illegal the commercial availability of consumers’ phone records. In 
addition. Chairman Martin suggested that a more stringent “opt-in” approval method for 
protection of consumer phone record information could be implemented, and also proposed 
that Congress could strengthen the Commission’s enforcement tools. 

In the last session, Congress adopted legislation called the Telephone Records and 
Privacy Protection Act of 2006, which made pretexting a criminal offense subject to fines 
and imprisonment, and on January 12, 2007, the President signed this legislation. 

On February 8, 2007, Chairman Dingell, Ranking Member Barton, and several 
members of the Committee introduced H.R. 936 to further prohibit fraudulent access to 
telephone records. I note that, among other things, the bill would make pretexting 
unlawful and would expressly extend “opt-in” approval requirements to the sharing of 
certain information with Joint venture partners, independent contractors, and other third 
parties. Further, H.R. 936 would expand the penalties for CPNI violations and make it 
easier for the Commission to bring enforcement actions against non-common carriers, 
such as data brokers. 

Commission Efforts to Strengthen Existing CPNI Rules 

In response to the problem of pretexting, the Commission currently is considering 
new rules to ensure that carriers adequately protect their customers’ private information. 
Specifically, the Commission issued a Notice of Proposed Rulemaking (“Notice”) 
inviting comment on the EPIC petition and whether additional Commission rules are 
necessary to strengthen the carriers’ safeguards for customer records. 


4 



51 


Based on the evidence submitted in its rulemaking proceeding, and gathered in its 
enforcement investigations, the Commission learned that data brokers routinely seek to 
obtain unauthorized access to CPNI by impersonating an authorized user, the account 
holder or another company employee either when speaking with a carrier’s customer 
service representative or via online access. There also has been evidence of some limited 
instances of employee misconduct. And while we consider it a positive development that 
numerous carriers (as well as the FTC and numerous states) have filed lawsuits seeking to 
enjoin pretexting activity, unfortunately it is also an indication of the success pretexters 
have had. 

As we have met with parties regarding the strengthening of our CPNI rules and 
conducted investigations, we have learned of a variety of steps carriers can take to further 
protect the privacy of customer account information, some of which certain carriers are 
implementing today. These steps include, among other things, using better security and 
authentication measures in call centers and with respect to setting up online accounts; 
notifying customers of account changes; providing notice of unauthorized access to 
CPNI; and greater employee training and monitoring. Significantly, we also recognize 
the importance of this issue to law enforcement, particularly in light of the new 
Telephone Records and Privacy Protection Act of 2006, which makes pretexting a 
criminal offense. 

The Commission has an item for consideration which would address these issues 
by requiring providers to adopt additional safeguards to protect customers’ phone record 
information from unauthorized access and disclosure. The Chairman has circulated an 
order that, for example, proposes prohibiting providers from releasing call detail 


5 



52 


information except when the customer provides a password, or by sending it to an 
address of record or calling the customer at the telephone of record. To protect against 
possible efforts to circumvent these requirements, the order proposes to require carriers to 
notify the customer immediately when information such as passwords or the address of 
record is created or changed. The Chairman also proposed a notification process for both 
law enforcement and customers in the event of a CPNI breach. 

In addition. Chairman Martin proposed to modify our current rules to require 
providers to obtain affirmative customer consent before disclosing any of that customer’s 
phone record information to a provider’s joint venture partner or independent contractor 
for marketing purposes. Further, the order proposes to extend all CPNI obligations to 
interconnected voice over Internet protocol (VoIP) providers. These additional privacy 
safeguards should sharply limit pretexters’ ability to obtain unauthorized access to CPNI. 

Commission Enforcement Action 

The Commission also has taken a hard look into the world of data brokerage and 
has used its enforcement authority against both data brokers and carriers to help address 
this problem. As a first step in its investigation and enforcement activities, the 
Commission issued subpoenas to several of the most prominent data brokers in late 2005, 
and again in 2006, seeking information about how companies obtained phone record 
information and then sold it. Some companies failed to respond adequately to our 
requests and almost all companies denied any knowledge of wrongdoing. As a 
consequence of the companies’ failure to respond, the Commission issued letters of 
citation, and ultimately was forced to issue a Forfeiture Order against one company. 


6 



53 


Locate Cell, for its continued failure to respond to the Commission’s subpoenas. We also 
referred Locate Cell’s inadequate response to the Department of Justice for enforcement 
of the subpoena. 

Additionally, the Commission focused its attention on the telecommunications 
carriers’ practices to fulfill section 222’s duty to protect customer information. As a 
result of numerous meetings with various carriers, a review of the carriers’ annual section 
222 compliance certificates, and a review of the carriers’ responses to formal Letters of 
Inquiry sent to nearly 20 carriers, the Commission issued three Notices of Apparent 
Liability for Forfeiture to carriers for failure to comply with the Commission’s rules 
implementing section 222. 

Throughout these investigations, the Commission closely coordinated with 
Federal Trade Commission staff. In addition, the Commission has offered assistance to 
state attorneys general in their efforts to combat pretexting. 

Conclusion 

The Commission takes very seriously any breach of consumers’ privacy, as well 
as carriers’ statutory duty to protect the customer information that they collect. The 
Commission also remains committed to strengthening its rules as warranted to help 
ensure that carriers implement adequate practices to protect their customers’ privacy, as 
required by the Act. We likewise will continue to coordinate with the Federal Trade 
Commission, state and federal attorneys general, and other law enforcement authorities 
about our findings, and work with them in any way we can to take legal action against 
data brokers and pretexters. We look forward to working collaboratively with the 


7 



54 


members of this Committee and other Members of Congress to ensure that consumers’ 
personal phone data remains confidential. Thank you for the opportunity to testify, and I 
would be pleased to respond to your questions. 


8 



55 


Ms. DeGette. Thank you, Mr. Navin. 

Mr. Rotenberg. 

STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER 

Mr. Rotenberg. Madame Chairman, Ranking Member Barton, 
members of the committee, thank you so much for the opportunity 
to testify before you on the very serious problem of pretexting. 

As you may know, in the summer of 2005, EPIC undertook an 
extensive investigation of the problem of pretexting in the United 
States. We found that personal information, call detail information, 
was available for sale at more than 40 businesses on the Internet. 
We filed a petition with the Federal Trade Commission in which 
we asked the FTC to begin an investigation, and because it was so 
clearly the case that the information at issue concerned personal 
calling records, we petitioned the FCC to open an investigation and 
to establish stronger security standards to safeguard the privacy of 
the call detail information of American telephone consumers. 

We provided very specific recommendations for the FCC: the use 
of passwords, the use of encryptions, and the use of audit trails 
that would ensure that when personal information in the posses- 
sion of the telephone carriers was disclosed, it was disclosed for an 
appropriate purpose and not to a pretexter for a nefarious purpose. 

I recall a year ago at this time having the honor to appear before 
this committee with the chairman and to discuss our petition, and 
at that time, he expressed support for our recommendations. He 
said that he was going forward and issued the petition in February, 
more than a year ago, recommending that stronger security stand- 
ards be established for telephone record information. 

We filed our comments. The telephone industry filed their com- 
ments. We filed our reply comments, and then nothing happened. 
No final rule was ever issued by the FCC, though, remarkably, as 
recently as January 2007 the Commission continued to warn con- 
sumers about the ongoing problem of pretexting of personal tele- 
phone record information. 

I am here before you today to urge you to ensure that the FCC 
act on this petition. And because they have failed to act on this pe- 
tition, we think it is absolutely vital for the legislation that you are 
considering now, which would establish these security standards by 
law, to go forward. The safeguarding of this personal information 
is absolutely crucial, as we have described in our testimony. 

Some will raise the question regarding the legislation that was 
passed by the Congress during the last session, which criminalized 
the act of pretexting, but it did not deal with the source of the 
problem, and that concerns the information that is collected and 
maintains CPNI data that is used in the telecommunication sector, 
and that is the information that is being made available to 
pretexters to commit fraud, identity theft, and other types of crime. 
That is the information that we believe needs to be protected. 

I thank you, again, for the opportunity to be here, and I would 
be pleased to answer your questions. 

[The prepared statement of Mr. Rotenberg follows:] 



56 



EUCTBONIC PRIVACY INFeRMATION CEMTIR 


Prepared Testimony and Statement for the Record of 


Marc Rotenberg, 
President, EPIC 


Hearing on 

“Combating Pretexting: H.R. 936, Prevention of 
Fraudulent Access to Phone Records Act” 

Before the 

House Commerce Committee 
United States House of Representatives 


March 7, 2009 

2123 Rayburn House Office Buildii^ 
Washington, DC 


57 


Chairman Dingell, Ranking Member Barton, and Members of the Committee, 
thank you for the opportunity to testify on the privacy of telephone records and the 
problem of pretexting. My name is Marc Rotenberg and I am Ex«:utive Director and 
President of the Electronic Privacy Information Center in Washington, DC. EPIC is non- 
partisan research organization in Washington, DC that was established to focus public 
attention on emerging privacy and civil liberties issues. With me this morning is 
Caitriona Fitzgerald, a student at Northeastran Law School, who has assisted with our 
testimony. 

We thank the Members of the Committee for holding this hearing and for 
introducing legislation to address the serious problem of pretexting and the associated 
problem of identity theft. In this statement, I will summarize EPIC’S efforts at the FCC to 
establish stronger security standards for customer information, and express our support 
for H.R. 936, the bill now before the Committee. 

The EPIC Petition to the FCC on Security for Calling Record Information 

In the summer of 2005, EPIC undertook an extensive investigation of pretextmg. 
a practice where an individual impersonates another person, employs false pretenses, or 
otherwise uses trickery to obtain personal information. We found that many web sites 
were making available personal infoimation that had been wrot^fully obtaii^d and that 
these services were threatening the privacy and security of American consumers. In July 
2005, we filed a complaint with the Federal Trade Commission concerning a website that 
offered phone records and the identities of P.O. Box owners for a fee through pretexting. 


Combating Pretexting 
House Energy and Commerce 


1 


March 9, 2007 
EPIC Testimony 



58 


We supplemented that filii^ in August 2005 with a list of 40 websites that offered to sell 
phone records to anyone online. 

In light of the fact that so many companies were selling phone records, EPIC 
turned to the Federal Communications Commissicai (FCC) to try to establish better 
safeguards for phone companies’ customer records that were being improperly disclosed. 
On August 30, 2005, EPIC formally petitioned the FCC to initiate rulemaking for 
enhance security safeguards for individual’s calling records. In our petition, we noted 
that, through § 222 of the Telecommunications Act of 1996', Congress has “specifically 
placed the burden of protecting Consumer Proprietary Network Information (CPNI) in 
[telecommunications carriers] hands.”^ Accordingly, the EPIC petition called for the 
FCC to immediately initiate a rulemaking proceeding to address CPNI protection 
measures used by telecommunications carriers, and to invite comment to develop 
adequate safeguards for verifying the identity of parties trying to access CPNI.^ We 
suggested five forms of security measures that could be used by telecommunications 
carriers to more adequately limit disclosure of CPNI.'' 

The telecommunications industry quickly responded to EPIC’s petition, 
suggesting that the FCC take enforcement actions against companies that sell phone 
records, but opposing any regulatory hifervention that would require teleconununications 
carriers to change their security practices.^ We respKjnded, pointing out that enforcement 

' 47 U.S.C. § 222 et seq. (2006). 

^ See Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security and 
Authentication Standards for Access to Customer Proprietary Network Information, CC Docket No. 96-115 
(filed Aug. 30, 2005) (“EPIC Petition"). 

’/</. 

^ See e.g. exposition of BellSouth Corporation to EPIC Petition, RM Docket No. 11277 (filed Oct 31, 
2005). 


Combating Pretexting 
House Energy and Commerce 


2 


March 9, 2(M)7 
EPIC Testimony 



59 


actions against online data brokers alone was unlikely to prevent the sale of phone 
records, and that "FCC intervention is necessary to enhance security standards and 
authentication standards for access to CPNI.”* The CTIA again responded, asserting that 
no additional rules were necessary, and suggesting that the FCC deny EPIC’s petition to 
safeguard consumer phone records.’ 

In January 2006, after numerous news reports regarding the vulnerability of phone 
records to online data brokers. Senator Harry Reid sent a letter to the FCC, urging the 
agency to "begin an investigation into how online data brokers ate obtaining Americans' 
private phone records, and whether phone companies are doing enough to protect the 
personal and private information with which they are entrusted." A few days later, on 
January 17, 2006, FCC Commissioners Adelstein and Copps released statements calling 
for action to address the illegal sale of telephone records.® Commissioner Adelstein 
noted that EPIC’s petition “could be an appropriate vehicle for tightening {the FCC's] 
rules.”’ 

On February 10, 2006, the FCC approved EPIC’s petition, seeking comment on 
the five measures EPIC suggested in order to improve security of CPNl, as well as other 
measures.'® The comment deadline was April 14, 2006. 


‘ Reply Comments of the Electronic Privacy Information Center, CC Docket No. 96-1 1 5, RM Docket No. 
i 1277 (Nov. 9, 2005) (“EPIC Reply Comments.”) 

’ See Reply Comments of CTIA - Die Wireless Association to EPIC Reply Comments, CC Docket No. 96- 
1 15, RM Docket No, 1 1277 (Nov. 15, 2005). 

* Statement by Commissioner Jonaflian S. Adelstein on Brokering of Personal Telephone Records(Jan. 17, 
2006) (“Adelstein Statement”); Commissioner Michael J. Copps Calls for Action to Address Theft of 
Phone Records (Jan. 17, 2006) (“Copps Statemenf*)- 

* Adelstein Statement. 

‘“See 2 1 F.C.CJI. 1782, 1789(2006). 


Combating Pretexting 
House Energy and Commerce 


3 


March 9, 2007 
EPIC Testimony 



60 


FCC Investieation Into Telecommunications Carrier’s Security Measures 

On September 29, 2006, in a hearing before the House Subcommittee on 
Oversight and Investigations (Committee on Energy and Commerce), Kris Anne 
Monteith, Chief of the FCC Enforcement Bureau, discussed the ongoing FCC 
investigation into phone record security.*’ Chief Monteith asserted in his statement that 
once the record in the rulemaking proceeding closed in June, FCC Chairman Kevin 
Martin "directed the staff to expeditiously prepare an order resolving the issues raised in 
the rulemaking proceeding and intends to bring an order before the full Commission for 
its consideration this Fall.”'^ Despite the apparent urgency of the situation, no such order 
has yet been promulgated. 

All measures the FCC has taken with regard to telecommunications carrier 
responsibility for CPNI security seem to have taken place prior to its Notice of Proposed 
Rulemaking. On January 30, 2006, the FCC issued a Public Notice requiring 
telecommunications carriers to submit CPNI Compliance Certificates.'^ The 
investigation that followed resulted in the issuance of three “Notices of Apparent 
Liability for Forfeiture” to telecommunications carriers for failure to comply with CPNI 
compliance requirements. The FCC has reached consent decrees with two of these three 
carriers. 


" See Written Statement of Kris Anne Monteidi, Hearing on “Internet Data Brokers & Pretexting: Who 
Has Access to Your Private Records?” Before the SubcommiUee on Oversight and investigations. 
Committee on Energy and Commerce, U.S. House of Representatives (Sept. 29, 2006) (“Monteith 
Statement"). 

Public Notice re; Enforcement Bureau Directs AH Telecommunications Carriers to Submit CPNI 
Compliance Certificates (January 30, 2006) (available at biq)://Www.fcc.gov/eb/Public_Notices/DA-06- 
223AlJitml.) 

Monteith Statement at 5. 


Combating Pretexting 
House Energy and Commerce 


4 


March 9. 2(K)7 
EPIC Testimony 




61 


According the Chief Monteith, the FCC has also issued formal “Letters of 

Inquiry” to nearly twenty wireline and wireless carriers.*’ These letters “require the 

carriers to document their customer data security procedures and practices, identify 

security and disclosure problems, and address any changes they have made in response to 

the data broker issue.”’® Analysis of carrier responses is ongoing. 

Despite Repeated Statements that CPNl Should be Protected, the FCC has Failed to Issue 
the Security Guidelines that Would Safeguard Consumer Information 

In its Notice of Proposed Rulemaking (Notice), the FCC recognized that its rules 
implementing § 222 of the Telecommunications Act “require carriers to take specific 
steps to ensure that CPNI is adequately protected from unauthorized disclosure.”*’ It 
further recognized that Congress granted CPNI the greatest level of protection available 
under § 222.'* Thus, the safeguards protecting such information should be such that 
unauthorized access to it is nearly impossible to accomplish. 

However, both the FCC and Congress have recognized that third-party 
unauthorized access to phone records is a widespread practice. As recently as January 
1 8, 2007, the FCC issued a Consumer Advisory entitled “Protecting the Privacy of Your 
Telephone Calling Records,” explaining to consumers that, despite rules protecting such 
information, illegal third-party access to jphone records is occurring.** Congress recently 
passed jegislation making “pretexting” a crime.“ 


“a. -- - ■ - - - — ■ 

” Id. at 1 782; see U.S.C. § 222(a). 

'^Id. 

FCC Consumer Advisory, Protecting the Privacy of Your Telephone Calling Records (Jan. i 8, 2007) 
(available at ht^://www.fcc.gov/cgb/consi3inerfacts/phoneaboutyou.html.) 

“ See 1 8 U.S.C § 1 039 (2006). 


Combating Pretexting 
House Energy and Commerce 


5 


March 9, 2007 
EPIC Testimony 



62 


Despite the recognition that both CPNI deserves the greatest level of protection 
available under § 222 due to its highly sensitive nature, and that such information is 
nonetheless being compromised, the FCC has failed to promulgate regulations to force 
telecommunications carriers to update its security measures to keep up with the changing 
technology available to data brokers. 

Need for Passage of H.R. 936, Prevention of Fraudulent Access to Phone Records 
Act 

Members of the Committee, Congress passed a law at the aid of the last session 
regarding pretexting, but it addressed only a small part of the problem and did not 
provide the type of protection that is necessary to safeguard the privacy of American 
consumers. The Telephone Records and Privacy Protection Act criminali 2 ed pretexting 
but it failed to address the lack of secmity for telephone records or to resolve the question 
as to whether the FTC may use its section 5 authority to give after those who traffic in 
information that is obtained by means of pretexting.^* The Act amends the federal 
criminal code to prohibit obtaining, or attempting to obtain, confidential phone records 
information from a telecommunications carrio- (or any covered entity, as defined in § 
1039(h)(2)) by: (1) making false or fraudulent statements or representations to an 
employee of a covered entity; (2) making such false or fraudulent statements or 
representations to a customer of a covered entity; (3) providing a document to a covered 
entity knowing that such document is false or fraudulent; or (4 )accessing customer 
accounts of a covered entity via the Internet, or by means of conduct that violates section 


ISU.S.C.§ 1039. 


Combating Pretexting 
House Energy and Commerce 


6 


March 9, 2007 
EPIC Testimony 



63 


1030 of this title, without prior authorization from the customer to whom such 
confidential phone records information relates.^ 

Although Congress’ recognition of the seriousness of pretexting, and its efforts to 
criminalize it, are important, nothing in the law that was passed puts a duty on the 
telephone companies that are the actual source of this data to increase their seciurity 
measures. Rather than going after the criminals after the crime occurs, wouldn’t it make 
more sense to reduce the risk that our personal information will be wrongfully disclosed? 
The proposed Prevention of Fraudulent Access to Phone Records Act addresses the 
source of the pretexting problem. 

Title I of the Act grants enforcement powers over the use of false pretenses to 
obtain Consumer Proprietary Network Information (CPNI) (a.k.a. pretexting) to the 
Federal Trade Commission (FTC) by treating it as an unfair or deceptive act or practice 
prescribed under § 18(a)(1)(B) of the Federal Trade Commission Act.^* This will resolve 
any doubt as to the FTC’s authority to prosecute these cases. 

Title II of the Act establishes the Federal Communications Commission (FCC) 
provisions. In Section 201, Congress makes clear that telecommunications carriers have 
a duty to safeguard the confidentiality of its customers personal informatioa^^ In Section 
202, the Act essentially sets forth more detail regarding a telecommunication carrier’s 
obligations to only disclose CPNI to its owner or to authorized users. It prescribes 
requirements for disclosure of detailed information, requirements for affiliate use of both 

1 8 U.S.C. § 1 039(a) (2007). The Act also crimmalized the activities of data brokers, prohibiting the sale 
or transfer of confidential phone records information. § 1 039(b). It also makes those who use data broker 
services criminally liable, prohibiting the act of receiving such information with knowledge that it Wffi 
illegally obtained, f 1039(c). 

” H.R, 936, 1 10th Cong. § 103 (2007). 

” § 201(2), (10). 


Combating Pretexting 
House Energy and Commerce 


7 


March 9, 2007 
EPIC Testimony 



64 


general and detailed information, and requirements for partner and contractor use of 
general information. It further amends § 222(c) of the Communications Act by adding 
a prohibition of sale, renting, leasing, or otherwise making available of CPNI.^* Section 
203 requires the FCC to prescribe regulations adopting more stringent security standwds 
for CPNI to detect and prevent violations of the Act.^^ 

Provisions in the proposed security standards mirror the safeguards suggested by 
EPIC in our August 2005 petition to the FCC. These measures would greatly benefit 
CPNI security. However, it should be noted that the only reference to increasing security 
standards by telecommxmicalions carriers in the required regulations says that a carrier’s 
security policy to should include “appropriate” standards to ensure security. This 
language does not seem to be much of a shift from the language of the Communications 
Act, which states that telecommunications carriers have a “duty to protect” CPNI. If 
carriers have always had a duty to protect such information, it is logical that they have 
been using “appropriate” standards to ensure such protection all along. 


I 202(a). 

“ § 202(d). 

” The regulations Aat the Act requires the FCC to prescribe are; 

(i) to require timely notice to a customer if there is a breach of CPNI regulations relating to his or her 
information; 

(ii) to require timely notice to the FCC if there is a breach of CPNI regulations with rrapect to any 
customer; 

(Hi) to require periodic compliance audits by the FCC of telecommunications carriers; 

(iv) to require telecommunications carriers to keep records of each time CPNI is requested, and if 
access is granted, a note of how the person’s identity or authority to access die information was verified; 

(v) to require telecommunications carriers to establish a security ptrticy that includes “appropriate” 
standards to ensure security of CPNI; 

(vi) to prohibit the use of pretexting by telecommunications carriers. 

§203(hXlXA). 


Combating Pretexting 
House Energy and Commerce 


8 


March 9, 2007 
EPIC Testimony 




65 


However, the Act does detail increased more security measures that would 
improve security of CPNl3* The measures it sets forth to consider are: (i) to require 
telecommunications carriers to “institute customer-specific identifiers in order to access 
CPNI”; (ii) to require encryption of CPNI (or other safeguards to secure the data); (iii) to 
require deletion of CPNI after a reasonable period of time if storage is no longer 
necessary. 

These provisions also mirror the security measures suggested by EPIC in its 
petition to the FCC. If implemented, CPNI security would be significantly stronger. 

While only requiring the FCC to consider such measures is likely just oft-afforded 
administrative deference by Congress, given the measures’ relative ease of 
implementation and the risk to privacy that unauthorized access to CPNI entails, it is vital 
that the FCC act to enforce such protections. 

The Prevention of Fraudulent Access to Phone Records Act would provide much 
needed improved security for CPNI. The information that telephone companies collect 
and generate about the private activities of their customers should be subject to strong 
seciaity standards that minimize the risk that individuals will be subject to pretextii^ and 
identity theft. CPNI was granted the highest level of protection under the 
Communications Act - acknowledgment of its extremely sensitive nature. As Congress 
recognizes in the Act, such mfdhfiafion conveys details" about the most intimate aspects 
of an individual’s life. Moreover, such information is often used in furtherance of acts of 
stalking, domestic violence, and other violent crimes. Telephonme 


1 203(h)(lKB). 


Combating Pretexting 
House Energy and Commerce 


9 


March 9, 2007 
EPIC Testimony 



66 


Conclusion 

Mr. Chairman, a year ago I had the privilege to appear before this Committee and 
to discuss EPIC’S efforts to bring attention to the problem of pretexting well before the 
Hewlett-Packard matter was uncovered. I described our efforts to inform the FTC about 
this new threat as well as our petition to the FCC to establish stronger security standards 
for telephone record information. I was heartened at that time by Chairman Martin who 
expressed concern about the problem of pretexting and indicated that his agency was 
prepared to act on our petition. In fact, he thanked EPIC for bringing the Commission’s 
attention to the problem. 

Here we are now a year later and there has still been no proposal from the FCC to 
improve the security of the calling information of American consumers. There has been 
no concerted effort to work with the telephone companies to establish clear guidelines. 
Moreover, the Chairman has failed to address the question of whether the telephone 
companies violated the federal Communications Act when they disclosed tiie records of 
American citizens to the government without judicial approval. He should open an 
investigation on this issue as soon as possible. 

The privacy provision for telecommunications service in the United States goes 
back to the original Communications Act of 1934.“ Privacy protection is critical for 
consumer trust and confidence in our nation’s communications services as well as the 
success of future communications services. The legislation before the Committee will 
begin to address the challenges the Commission has been unwilling or unable to. 

Thank you for your attention. I will be pleased to answer your questions. 


” § 605 . 


Combating Pretexting 
House Energy and Commerce 


10 


March 9, 2007 
EPIC Testimony 



67 


Ms. DeGette. Thank you, Mr. Rotenberg. 

Mr. Largent. 

STATEMENT OF HON. STEVE LARGENT, PRESIDENT, CHIEF 
EXECUTIVE OFFICER, CTIA-THE WIRELESS ASSOCIATION 

Mr. Largent. Thank you, Chairwoman and Ranking Member 
Barton and members of the committee. 

On behalf of CTIA, I am pleased to testify on H.R. 936 and the 
steps the wireless industry is taking to ensure the safety and secu- 
rity of wireless customers and consumers. 

At the outset, I want to be clear. CTIA’s member companies take 
seriously their obligation to protect customers’ CPNI. In that sense, 
your goal is our goal, too. 

In addition to meeting their duties under section 222, every car- 
rier has a market-based interest in seeing that customer records 
are not disclosed without proper permission. Carriers employ a 
broad range of security measures to prevent unauthorized access to 
these records. In general, the system works well, as there are lit- 
erally hundreds of millions of positive customer service interactions 
every year. 

Nonetheless, well-publicized instances of pretexting and the leg- 
islative and oversight activities that followed in this committee and 
elsewhere served as a wake-up call for all of us. I am pleased to 
say that the wireless industry did not wait idly by for someone else 
to solve the problem. In addition to offering our assistance to the 
committee, each of CTIA’s national carriers filed and obtained in- 
junctions to shut down data thieves. The carriers also teamed with 
law enforcement to identify individuals and companies involved in 
fraudulent activities to help put these criminals out of business. 

CTIA also supported legislation approved by the 109th Congress 
to criminalize the act of pretexting. Since the President signed the 
bill, the market for pretexting services has evaporated under the 
threat of Federal prison time and sizable financial penalties. The 
positive effect of this legislation cannot be overstated. 

CTIA’s members have not relied exclusively on the legal process 
to address pretexting. In the past year, wireless carriers have 
adopted a variety of procedures and tools to stop unauthorized ac- 
cess to CPNI. As is true in every other facet of the business, flexi- 
bility and innovation make a difference in the effort to defeat 
pretexters. Some carriers have focused on process. Others have cho- 
sen to use technology to help solve the problem. This variation be- 
tween carriers is a positive, as static practices can become out- 
moded or avoided by third parties with ill intent. CTIA and its 
member companies strongly support additional enhanced security 
measures that can help to better protect consumers. 

I detail each of these points in my written testimony, but let me 
briefly explain what CTIA supports. 

We support giving customers the option of using pass codes to 
protect account detail. We support restricting disclosure of cus- 
tomers’ Social Security numbers, tax ID, entire credit card number, 
or billing name and address in response to inbound customer calls. 
We support policies that preclude the release of call detail records 
via fax or e-mail, and we support confirmation of the FTC’s juris- 
diction in this area. 



68 


While CTIA supports reasonable measures to enhance the secu- 
rity of CPNI, any legislation the committee proposes should be nar- 
rowly targeted and responsive only to actual problems. Carriers 
must continue to have the flexibility to innovate and compete. 

With this in mind, I have several specific observations to offer. 

First, CTIA members are concerned about any provisions in H.R. 
936 that would require carriers to obtain specific customer consent 
before they can share CPNI with affiliates and joint venture part- 
ners that provide marketing and other services to carriers that are 
otherwise permissible under the law. In instances where CTIA 
member companies share CPNI with third parties to aid in market- 
ing, billing, and customer service efforts, they impose strict con- 
tractual oWigations to protect customer information. There are also 
existing FCC requirements that cover such arrangements. Limiting 
the ability of carriers to share CPNI with third parties is burden- 
some and has no connection with the goal of preventing fraudulent 
access to phone records. We believe that an approach focused on 
enhanced security rather than introducing additional customer con- 
sent mechanisms is the best way to protect CPNI from unauthor- 
ized use. 

Second, if Congress opts to act in this area, it should do so in 
the way that promotes uniformity and efficiency. We are seeing in- 
creased attention being paid to these issues at the State level, 
where, at last count, 34 different pieces of legislation related to call 
records have been introduced this year. Even when these bills are 
similar, they often contain variances that can make them difficult 
and costly to implement. What is needed is a uniform, national pol- 
icy that properly balances consumer protection and carrier flexibil- 
ity. 

Let me conclude by underscoring the wireless industry’s commit- 
ment to protecting CPNI. I can assure you that we will continue 
to enhance and improve our safeguards for sensitive customer in- 
formation. It is already the law, it is common sense, and it is good 
business. 

Thank you. 

[The prepared statement of Mr. Largent follows:] 



E^oanamg 'he Wre/ess From/e-' 


CTJA 


TESTIMONY OF 

THE HONORABLE STEVE LARGENT 
PRESIDENT AND CHIEF EXECUTIVE OFFICER 
CTIA - THE WIRELESS ASSOCIATION® 

BEFORE THE 

U.S. HOUSE OF REPRESENTATIVES 
COMMITTEE ON ENERGY AND COMMERCE 

MARCH 9, 2007 


Good morning, Chairman Dingell, Ranking Member Barton, and members of the Committee. 
On behalf of CTIA. 1 am pleased to have this opportunity to testify on H.R. 936 and the steps 
that the wireless industry is taking to ensure the safety and security of wireless consumers. 

At the outset, I want to be clear: CTIA’s member companies take seriously their obligation to 
protect their customers' CPNl. In that sense, your goal is our goal too. 

* ♦ * • * 

The Wireless Industry Is Committed to Protecting CPNl 

Carriers have a duty to protect CPNl under the Commission's existing rules and Section 222 
of the Communications Act. Beyond that, every carrier has a market-based interest in seeing 
that customer records are not disclosed without the proper permission. Any carrier which 
fails to adequately safeguard the privacy of its customers will - and should - suffer in the 
marketplace. For this reason, wireless carriers employ a broad range of security measures to 
prevent unauthorized access to and disclosure of these records. In general, the system works 


1400 161hSlreei, NW Suite 600 Washin^on. DC 20036 Mam 202 765.0081 Fax 202-765.0721 


LCtia.Ofs 



70 


well, as there are literally hundreds of millions of positive customer service interactions 
every year. 

While it is the exceptions that generate headlines, I am pleased to tell you that since 1 last 
appeared before the Committee on this subject, much progress has been made to ensure that 
CPNI is protected, and that those who attempt to procure it illicitly are thwarted and 
punished. 

Incidents like the unauthorized release of General Wesley Clark's call records and the 
Hewlett-Packard pretexting scandal served as a wake-up call for all of us. The wireless 
industry did not wait idly by for someone else to solve the problem. Each of CTlA’s national 
carriers filed and obtained injunctions that shut down data thie\ es and the carriers teamed 
with law enforcement to identify individuals and companies involved in fraudulent activities 
to help put these criminals out of business. 

CTIA supported legislation approved by the 109’*’ Congress to criminalize the act of 
pretexting. President Bush signed the Telephone Records and Privacy Protection Act of 
2006 (H.R. 4709, P.L. 109-476) in January. Since enactment of that legislation, the market 
for pretexting services has evaporated under the threat of Federal prison time and sizeable 
financial penalties. The positive effect of the legislation cannot be overstated. Although the 
law is less than two months old, a Google search performed prior to this hearing did not find 
the kind of advertisements offering to procure customers’ cal! records that were prevalent 
just a short time ago. 


2 



71 


CTIA’s members have not relied exclusively on the legal process to address pretexting. 

In the past year, wireless carriers have adopted, and continue to adopt, a variety of 
procedures and tools to stop unauthorized access to CPNI. As is true in every other facet of 
the business, flexibility and innovation make a difference in the effort to thwart pretexting. 
This variation between carriers is a positive, as static practices can become outmoded or 
avoided by third parties with ill intent. 

Some carriers have focused on process. Alltel. Cingular (now AT&T), and T-Mobile have 
implemented policies prohibiting their customer sendee representatives from providing call- 
detail information over the phone to anyone. Verizon Wireless has made a major 
commitment to enhanced training of customer service representatives. Others have chosen 
to use technology to help solve the problem. SprintNextel has embarked on an effort to 
utilize interactive voice response (IVR) technology to authenticate customers before the 
customer is routed to a customer service representative. IVR authentication can improve the 
security of customer accounts by further distancing authenticating information from customer 
service representatives, and by masking certain account information, such as call-detail 
records from the customer service representative, pending successful IVR authentication. 

CTIA and its member companies strongly support additional enhanced security measures that 
can help to better protect consumers. 


3 



72 


Specifically, CTIA supports giving customers the option of using passcodes. Many carriers 
already offer password protection, especially for online account access, for those customers 
who seek extra protection beyond the typical verification procedures. .Across the wireless 
industry, passcodes have become standard operating procedure. Nonetheless, a blanket 
obligation that all accounts be password protected is undesirable, as passwords may not be 
wanted by every customer. Surveys and carrier experience have shown that some customers 
are burdened by having to remember numerous passwords for various accounts that may 
easily be forgotten or lost, and thus resist password protection for access to their account. In 
addition, there are customers who freely share their passwords with significant others and 
family members, therefore compromising the security of their own accounts. As an 
alternative to forcing password usage for all account access. CTIA supports a requirement 
that carriers make passwords available to all customers for account access. Customers 
should then be informed of the benefits of such passwords and the ways to effectively 
safeguard account access, 

CTIA believes a rule that prohibits disclosure of a customer’s entire Social Security Number, 
Tax ID, entire credit card number, or billing name and address in response to inbound 
customer calls may provide a useful deterrent to pretexting. There is no good reason why a 
carrier should provide customers with their personal-identifying account information. Many 
carriers already have implemented this procedure. 

CTIA supports, and its carriers have adopted, policies that preclude the release of call detail 
records via fax or e-mail. Consumers seeking call detail information can only be provided 


4 



73 


with that information if it is mailed to the address of record for billing purposes, or after the 
customer is called back on his or her registered mobile number. While some customers may 
find this practice inconvenient, this inconvenience is outweighed by the corresponding 
security benefits of these policies. 

Finally, the Chair of the Federal Trade Commission, Deborah Majoras. has declared that the 
FTC has sufficient authority to act against parties that engage in the theft and illegal sale of 
cal! records. Nonetheless, if the Congress seeks to confirm the FTC's jurisdiction in this 
area, as is proposed in Title I of H.R. 936, CTl.'k would support such action, as we did last 
year. We would hope, however, that providing the FTC with civil enforcement authority will 
not in any way diminish the criminal prosecution of data thieves. 

Wireless Carrier Concerns with H.R. 936 
While CTIA supports reasonable measures to enhance the security of CPNI, CTIA’s 
members have strong concerns about “one size fits all” legislative proposals that do not 
provide carriers with the fle.xibility that has served them so well in the marketplace. Any 
legislative obligations the Committee proposes should be narrowly targeted and responsive 
only to actual problems rather than theoretical possibilities and provide the flexibility that 
carriers need to innovate and compete. With this in mind, 1 have several specific 
observations to offer. 

First, CTIA’s members are concerned about any provisions in H.R, 936 that would require 
carriers to obtain specific customer consent - whether "opt-in” or “opt-out” - before they can 


5 




74 


share CPNI with affiliates and joint venture partners that provide marketing and other 
services to carriers that are otherwise permissible under the law. 

In instances where CTIA member companies share CPNI with third parties to aid in 
marketing, billing, and customer service efforts, they impose strict contractual obligations to 
protect customer information. There are also e.xisting FCC requirements that cover such 
arrangements. 

Additionally, the imposition of new' restrictions on the ability ofcarriers to share CPNI with 
Joint venture partners or independent contractors is unduly burdensome and has no 
connection with the goal of preventing fraudulent access to phone records. Many CTIA 
members employ third-parties to assist with billing and customer care functions. The parties 
that engaged in these activities for our carriers are bound by strict safeguarding agreements 
that govern both confidentiality and security obligations. 

In general, industry practice obligates subcontractors to (1 ) use administrative, technical, and 
physical safeguards to protect customer information, (2) access and use customer information 
only on a need-to-know basis, (3) maintain strict confidentiality of customer information, (4) 
return or destroy customer information when it is no longer needed, and (5) submit to 
security and privacy audits. Contractors generally work in highly controlled environments 
and handle information that, while technically considered CPNI, is not the call-detail CPNI 
that pretexters seek. 


6 



75 


CTIA is not aware of any credible suggestion that third-party contractors or joint venture 
partners have misused any CPNl that has been shared with them by a wireless carrier. The 
national carriers and Tier II carriers such as U.S. Cellular Corp., Dobson Communications, 
and MetroPCS Communications have each noted in their FCC filings that restricting or 
imposing burdensome requirements on the use of independent contractors and joint venture 
partners to help deliver, bill for. and market products and serv'ices to consumers will raise 
costs without any corresponding benefit. This problem might be particularly acute for 
smaller carriers which lack the ability to spread potential compliance costs over a national 
customer base. 

While the bill appears to permit some sharing of information with third parties to initiate, 
render, bill, and collect for services and to provide customer service, this exemption is 
potentially compromised by the sw'ecping restrictions on disclosures elsew'here in the bill. 

We believe that an approach focused on enhanced security rather than introducing additional 
customer consent mechanisms is the most effective, cost-beneficial, and constitutionally 
permissible means by which to protect CPNI. 

As a general matter, wireless companies should have the flexibility to use CPNl to market 
services other than telecommunications and Internet access to customers whose prior 
purchasing habits suggest they may be interested in additional serv'ices. Amazon.com and 
L.L. Bean have that flexibility; wireless carriers should too. Wireless carriers do not 
safeguard CPNl any less when such information is used to market other services as compared 
to when it is used to market their core services, and, as the record in the FCC’s proceeding on 


7 



76 


the EPIC petition demonstrates, there is no causal connection between Section 222's existing 
“opt-out” regime and the fraud perpetrated by pretexters. Depriving wireless carriers of the 
ability to use CPNI to market additional services to existing customers is not a necessary part 
of the effort to eliminate pretexting. 

Unfortunately, as drafted, the bill appears to preclude a wireless carrier from informing only 
that subset of customers who have handsets that can receive a new serv'ice such as mobile TV 
(e.g., Verizon Wireless’ V-Cast or Qualcomm’s Media Flo) that such serv'ices are available. 
Instead, a carrier wishing to offer these services would have to market them to its entire 
customer base - in some cases as many as 50 million people - just to reach early adopters. 
This is a terribly inefficient restriction on a competitive business, and it does not make CPNI 
any safer. 

CTIA also opposes the pro\'isions of H.R. 936 that direct the Commission to consider 
whether it should require carriers to encrypt all stored CPNI data. The Commission is 
already considering such a requirement in its current proceeding, and thus far the record 
shows no evidence of unauthorized access of stored CPNI within carriers’ databases. 
Mandatory encryption of stored call records would not have the effect of preventing 
pretexting. Conversely, it would increase costs, potentially delay response to legitimate 
customer service inquiries, and needlessly complicate carrier storage and access methods. 
Accordingly, CTIA urges that this provision be dropped from the bill. 


8 



77 


In addition, the bill’s provisions on “Access to Wireless Telephone Numbers” are overly 
broad. I appreciate what the drafters of this language were attempting to achieve when it was 
added to the bill last year, and I can assure you that CTIA’s member companies have no 
plans to create a wireless directory without a customer’s express opt-in consent. However, 
wireless numbers are employed for other important and legitimate uses — such as the sale and 
delivery of third-party content, including things like news alerts, games, and ring tones — that 
should not be frustrated by efforts to limit the creation of a directory. 

Finally, if Congress opts to act in this area, it should do so in a w’ay that promotes uniformity 
and efficiency. We are seeing increased attention being paid to these issues at the state level, 
w'here at last count, 34 different pieces of legislation (in 17 states) related to call records have 
been introduced this year. In the last legislative session, there were 75 bills in 28 states. 

Even when these bills are generally alike, they often contain variances that can make them 
difficult and costly to implement. The wireless industry does not welcome having to deal 
with a multitude of varying state-by-state obligations in this area. How well a consumer is 
protected, or what obligations a carrier faces, should not vary widely by location, and what is 
needed is a uniform national policy that properly balances the need to protect consumers 
while allowing carriers the flexibility to operate in the most efficient and cost-effective 
manner possible. 


♦ ♦ ♦ ♦ 




9 



78 


I believe that the wireless industry is in a better place today than the last time I appeared 
before you on this subject. The carriers have invested significant time and resources to make 
CPNI more secure. The much-publicized criminal activity that prompted congressional 
attention led to enactment of important legislation that dried up the market for pretexting. 
Equally importantly, these actions have focused the industry on efforts to improve its 
practices. Real progress is being made, both in terms of employee training and investment in 
new and improved systems, and that commitment will continue. 

I commend the Committee and the authors of this legislation for the attention you have 
focused on this issue. The wireless industry looks forward to continuing to work w'ith you to 
ensure that our customers’ phone records are protected. 1 do hope, however, that as the 
Committee considers H.R. 936. you will preserve the wireless industry's flexibility to 
continue to provide consumers with innovative new services at affordable prices. 

Thank you for the opportunity to share the wireless industr\’'s views on this matter. 


10 



79 


Ms. DeGette. Thank you, Mr. Largent. 

Mr. McCormick. 

STATEMENT OF WALTER MCCORMICK, PRESIDENT AND CHIEF 

EXECUTIVE OFFICER, UNITED STATES TELECOM ASSOCIA- 
TION 

Mr. McCormick. Madame Chair, Mr. Barton, members of the 
committee, on behalf of the member companies of the United States 
Telecom Association, I want to thank you for this opportunity to 
testify on the important issue of safeguarding consumers’ phone 
records from fraudulent use by pretexters. 

This committee has a long history of working to protect consum- 
ers. Our industry shares your concern for protecting customer in- 
formation. Protecting privacy is a critical component of our cus- 
tomer care. 

In today’s highly-competitive marketplace, no industry should 
take the privacy of its customers lightly. As our member companies 
begin offering a variety of new, advanced broadband services, we 
see our reputation for delivering quality service and protecting the 
privacy of our customers as a competitive advantage. 

There is a strong business incentive to protect customer privacy. 
There is an existing legal obligation as well. Section 222 of the 
Communications Act provides that telecommunications carriers 
have a duty to protect the confidentiality of customer proprietary 
network information. 

This legal obligation is taken very seriously by our member com- 
panies. We educate and train our customer service employees. We 
observe strict security protocols, and we tightly define our agree- 
ments with marketing firms. 

We believe the best way to address the problem of fraudulent ac- 
cess to phone records is through the enforcement of existing laws 
and the strengthening of penalties on bad actors. In this regard, we 
applaud title I of this legislation, which would explicitly ban the 
practice of pretexting and give the Federal Trade Commission au- 
thority to enforce this prohibition. This provision complements and 
strengthens the action taken by Congress last year in establishing 
criminal penalties for pretexting. 

We are concerned, however, that the broad approach taken in 
title II of the bill will have a number of negative consequences, con- 
sequences that appear to be unintended ones, ones that would im- 
pact legitimate marketing practices that are, in many ways, pro- 
consumer. Consumers benefit when their communications carriers 
offer them new discount packages and innovative services. The in- 
formation we typically rely upon in pursuing marketing opportuni- 
ties focuses on purchasing patterns and the types of services that 
a customer is receiving, information that is of little or no use to 
pretexters, the kind of pretexters that this bill seeks to target. 

For example, if a customer has caller ID in order to avoid un- 
wanted calls at dinnertime, CPNI enables our marketers to identify 
a customer that might have an interest in receiving a bundle dis- 
count that could include call management or call-blocking features. 
If a customer has subscribed for both voice service and high-speed 
Internet access, this is a customer that might have an interest in 



80 


learning about savings that could be obtained by broadening this 
bundle to include video. 

The provisions proposed in title II could significantly impede this 
pro-consumer outreach, all without addressing any identifiable 
problem of fraudulent access to phone records. We are aware of no 
evidence to suggest that marketing of services, either directly or 
through joint venture partners, has resulted in any abuse of cus- 
tomer proprietary information. Indeed, FCC regulations require 
that confidentiality agreements be in place before CPNI is shared 
with joint venture partners or contractors. Businesses succeed by 
being responsive to their customers. 

As currently drafted, however, title II would severely impede the 
ability of our industry to bring to the attention of its customers the 
opportunity to take advantage of improved services or increased 
savings. We have been informed that this is not the committee’s in- 
tent, that instead the committee intended to only impose new re- 
strictions on the sharing and disclosure of detailed customer tele- 
phone records. There is currently an FCC proceeding underway 
that is considering the same thing. 

if it is, in fact, the committee’s intention to only address this lim- 
ited, call-detailed information, information related to matters such 
as individual locations, duration, time, and date of specific cus- 
tomer communications, then we would suggest that the bill lan- 
guage be clarified so that our industry can continue offering to its 
customers new services and bundled savings, as it does under cur- 
rent rules, while affording new protection to detailed customer tele- 
phone records. 

Our industry also has significant concerns with section 203, 
which would prescribe burdensome audit trail requirements. The 
last time the FCC looked at this issue, the cost of complying was 
enormous. It could range anywhere from $12 to $64 per line, which 
would clearly be a hardship for many consumers. 

Madame Chair, again, thank you for the opportunity to testify 
today, and we look forward to working constructively with you to 
prevent pretexting and identity theft. 

[The prepared statement of Mr. McCormick follows:] 



81 


Testimony of Walter B. McCormick 
President and CEO 
United States Telecom Association 
Before the House Committee on Energy and Commerce 

March 9, 2007 

Mr. Chairman, Ranking Member Barton, and members of the Committee, on 
behalf of the member companies of the United States Telecom Association, 

I want to thank you for this opportunity to testify on the important issue of 
safeguarding consumer’s phone records from fraudulent use by pretexters. 

This Committee has a long history of working to protect consumers. Our 
industry shares your concern for protecting customer information. 

Protecting privacy is a critical component of our customer care. 

In today’s highly competitive marketplace, no industry should take the 
privacy of its customers lightly. As our member companies begin offering a 
variety of new advanced broadband services, we see our reputation for 
delivering quality service and protecting the privacy of our customers as a 
competitive advantage. 

There is a strong business incentive to protect customer privacy. There is an 
existing legal obligation, as well. Section 222 of the Communications Act 
provides that telecommunications carriers have “a duty” to protect the 
confidentiality of customer proprietary network information. 

This legal obligation is taken very seriously by our member companies. We 
educate and train our customer service employees, we observe strict security 
protocols, and we tightly define our agreements with marketing firms. 

We believe the best way to address the problem of fraudulent access to 
phone records is through the enforcement of existing laws and the 
strengthening of penalties on bad actors. In this regard, we applaud Title I 
of this legislation, which would explicitly ban the practice of pretexting and 
give the Federal Trade Commission authority to enforce this prohibition. 

This provision complements and strengthens the action taken by Congress 
last year in establishing criminal penalties for pretexting. 


1 



82 


We are deeply concerned, however, by the broad approach taken in Title II 
of the bill. We believe that it will neither increase customer security nor 
reduce the amount of marketing materials customers receive. In fact, 
customers would likely see an increase in such materials, as carriers would 
be forced to take a generic approach to their marketing - a direct result of 
provisions that would impede the kind of targeted marketing that consumers 
value most. 

Consumers benefit when their communications carriers offer them new 
discount packages and innovative services. The information we typically 
rely upon in pursuing marketing opportunities focuses on purchasing 
patterns and the types of services a customer is receiving, information that is 
of little or no use to the pretexters this bill seeks to target. 

For example, if a customer has caller ID to avoid unwanted calls at 
dinnertime, CPNI enables our marketers to identify a consumer that might 
have an interest in receiving a bundled discount that might include call 
management, a service that forces the caller to give their name before the 
call rings through, or call blocking features. If a customer has subscribed for 
both voice service and high-speed internet access, he might have an interest 
in learning about savings that could be obtained by broadening his bimdle to 
include video. For consumers, this kind of targeted marketing can be highly 
informative, helpful, and result in real savings. 

The provisions proposed in Section 202 could significantly impede this pro- 
consumer outreach — all without addressing any identifiable problem of 
fraudulent access to phone records. We are aware of no evidence to suggest 
that marketing of services, either directly, or through joint venture partners, 
contractors, or other third parties has resulted in any abuse of customer 
proprietary infonnation. Indeed, FCC regulation §64.2007 requires that in 
order to share CPNI with joint venture partners or contractors, 
telecommunications carriers must first enter into confidentiality agreements 
with these third parties. The agreement must require that the third party only 
use the information for marketing or providing communications-related 
services for which the information was provided; that the third party be 
prohibited fi-om sharing the data with any other party; and that the Aird party 
have appropriate protections in place to ensure the confidentiality of 
consumers’ information. 


2 



83 


Businesses succeed by being responsive to their customers. As currently 
drafted, however. Title II would severely impede the ability of our industry 
to bring to the attention of its customers the opportunity to take advantage of 
improved services or increased savings. We have been informed that this is 
not the Committee’s intent - that, instead, the Committee intended to only 
impose new restrictions on the sharing and disclosure of “Detailed Customer 
Telephone Records.” There is, currently, an FCC proceeding underway that 
is considering the same thing. If it is, in fact, the Committee’s intention to 
only address this limited call detail information - information related to 
matters such as the individual locations, duration, time, and date of specific 
customer communications - then we would suggest that the bill language be 
clarified so that our industry can continue offering its customers new 
services and bundled savings, as it does under current rules, while affording 
new protection to detailed customer telephone records. 

Our industry also has significant concerns with Sec. 203, which would 
prescribe burdensome audit trail requirements. The last time the FCC 
looked at this issue in the late 1 990s, the cost of complying with similar 
requirements was estimated at up to $270 million per carrier. These 
mandates get factored into the cost of doing business and eventually affect 
the prices consumers pay ... in this case with very little, if any, benefit. In 
fact, small, rural carriers estimated that the additional cost of compliance 
could range from $12-S64 per line — clearly a hardship for many 
consumers. 

Mr. Chairman, again, we thank you for the opportunity to be here today. We 
look forward to working constmctively with you and the members of the 
committee to develop sound policies that focus on preventing pretexting and 
illegal invasions of privacy. 

I look forward to responding to any questions you may have. 

### 


3 



84 


Ms. DeGette. Thank you, Mr. McCormick. 

Mr. Einhorn. 

STATEMENT OF DAVID EINHORN, PRESIDENT, GREENLIGHT 

CAPITAL, INC. 

Mr. Einhorn. Good morning, Madame Chairman and members 
of the committee, and thank you for holding this hearing. And I ap- 
preciate your sympathy. 

Although I did not ask to participate in this hearing, I appreciate 
the invitation to describe my experience as a victim of pretexting. 

My testimony is about a corporation and management team that, 
in attempting to ensure their survival, placed no limits on the exer- 
cise of their power. 

Pretexting is a brazen invasion of privacy when a large corpora- 
tion has its agents spy on private citizens in order to intimidate 
then and silence criticism that threatens more than just the sanc- 
tity of the individual’s privacy. It threatens the freedom of the se- 
curities markets for which we take for granted. 

I am the president of Greenlight Capital, a long-term, value-ori- 
ented investment company. One of our long-term investments is Al- 
lied Capital. Our research showed Allied suffered from significant 
accounting and operational deficiencies, and Greenlight took a 
short investment position based upon that belief 

Our research indicated that, among other things. Allied misled 
the public about the value of its investments, valuing them at origi- 
nal cost, even after the investments go bankrupt. We later found 
that small business lending unit defrauded the SBA and the USDA 
Government lending programs, costing taxpayers hundreds of mil- 
lions of dollars. 

In 2002, I voiced my concerns about Allied at an investment re- 
search conference, which was part of a charity fundraiser for a pe- 
diatric cancer hospital. I told the audience why I had sold Allied 
short and pledged to give half of my personal profits on this invest- 
ment to the children’s hospital sponsoring the event. 

In response to my speech, instead of examining and cleaning up 
these problems. Allied attacked me. The company conducted a cam- 
paign to discredit me, attacking my reputation and my motivations. 
But ultimately, regulators and prosecutors have begun to see 
through Allied’s tactics. The FCC began an investigation in 2004, 
and later that same year, the U.S. Attorney from the District of Co- 
lumbia began a criminal investigation. 

Some time that year. Herb Greenberg, a respected financial jour- 
nalist for Dow Jones, who had written critically about Allied, told 
me that his phone records had been stolen. I subsequently learned 
a woman, unknown to me, had called my long distance provider, 
identified herself as my wife, provided her Social Security number, 
and opened an online account to obtain our home telephone 
records. 

Somebody also stole the phone records of other known critics of 
Allied, including hedge fund managers, a journalist, a research an- 
alyst, an individual investor, and a former media relations advisor 
to Greenlight. 

In March 2005, I wrote a private letter to Allied’s Board of Direc- 
tors, asking the Board to fully investigate what had happened. A 



85 


week later, I received a brush-off response. Last fall, after the 
Hewlett-Packard’s chairman admitted to pretexting and later re- 
signed, I again asked Allied’s Board to investigate. Allied re- 
sponded, saying they had found no evidence to support my claim. 

Then Allied’s management went on the offensive, yet again. On 
the company’s November 8, 2006 quarterly earnings conference 
call, chief executive officer William Walton spent several minutes 
attacking my motivations and stating that my concerns about my 
stolen phone records were “yet just another example of Mr. 
Einhorn’s tactics”. And he issued his own denial that anyone at Al- 
lied had accessed my records, saying, “There is simply no evidence 
to support a claim that Allied tried to access Einhorn’s phone 
records. We never received his records.” 

In December 2006, Allied was served with a grand jury sub- 
poena, and then their story changed. In a press release dated Eeb- 
ruary 6, 2007, Allied admitted that its agent had stolen not only 
my home phone records but also Greenlight’s records. The press re- 
lease, itself, was a model of evasion, however, and not at all con- 
sistent with the disclosure expected of a public company. It left un- 
answered a number of questions: who had obtained the records, 
who else’s records did they steal, who had authorized the theft, and 
for what purpose, what did they do with this information, and what 
else did these agents do to gather information about their critics? 

After the Hewlett-Packard pretexting scandal, HP immediately 
apologized to the victims and promised to give the victims a full ac- 
count. But I have not heard from Allied. Nobody has contacted me 
to apologize or explain who invaded my privacy or for what pur- 
pose. 

In conclusion. Allied’s behavior strikes at the ethical heart of the 
securities markets, which are based on the free and fair flow of 
ideas, critical and otherwise. It is a cold reality that companies left 
to their own devices will rarely divulge the full truth about their 
problems. It is left to others, regulators, analysts, the media, and 
investors like myself to hold companies accountable. The free ex- 
change of ideas in our market system depends on the very people 
who were pretexted in this case. There are many valuable voices 
in the marketplace who will choose not to criticize companies for 
fear of being retaliated against. Nobody wants their privacy in- 
vaded. 

As the committee has noted this very legislation, action, such as 
pretexting, can lead to harassment and intimidation. It can also 
lead to less information in the marketplace. A line must be drawn. 
I support this legislation. 

Thank you, Madame Chairman, and I am available to answer 
any questions you might have. 

[The prepared statement of Mr. Einhorn follows:] 



86 


Statement of 


David Einhom, President 
Greenlight Capital, Inc. 


Before the 

House Committee on Energy and Commerce 
U.S. House of Representatives 


Hearing on 

H.R. 936 - the Prevention of Fraudulent Access to Phone Records Act 


March 9, 2007 



87 


Chairman Dingell and Members of the Committee, thank yon for holding this hearing on 
the “Prevention of Fraudulent Access to Phone Records Act,” Although I did not ask to 
participate in this hearing, I appreciate the invitation to describe my experience as a victim of 
pretexting. Having said that, please understand that it is impossible to explain what happened to 
me without placing it in context. 

My testimony is a cautionary tale. It is about a corporation and management team that, in 
attempting to ensure their survival, placed no limits on the exercise of their power. Pretexting is 
a brazen invasion of privacy. The thought of an individual engaging in pretexting is unnerving 
enough. But when a corporation, with millions of dollars at its disposal, has its agents spy on 
private citizens in order to silence criticism, that threatens more than just the sanctity of the 
individual’s privacy; it threatens the freedom of the securities markets that we take for granted. I 
believe that the “Prevention of Fraudulent Access to Phone Records Act,” which explicitly 
addresses pretexting, will send a strong message and act as a deterrent to those who feel that they 
can invade the privacy of citizens simply because they are suspicious of them or disagree with 
them. That is why 1 am testifying in support of this legislation. 

My name is David Einhom. I am the President of Greenlight Capital, a long-term 
oriented value investment company. One of our long-term investments is Allied Capital, a 
company headquartered a few blocks from here on Petmsylvania Avenue. Some time ago, our 
research led us to believe that Allied suffered from significant accounting and operational 
deficiencies, and Greenlight took a short investment position in Allied based upon that belief. 

In 2002, 1 voiced my criticism of Allied publicly at an investment research conference, 
which was part of a charity fimdraiser for a pediatric cancer hospital. I told the audience that I 


2 



88 


had sold Allied short based on my research, and pledged to give half my personal profits based 
on this investment to the children’s hospital sponsoring the event. 

Our research indicated that Allied hides its problem investments by misleading the public 
about their value - valuing them at their original cost even as the investments go bankrupt - 
while stating publicly that the SEC valuation rules do not apply to them. Our research also 
indicated that Allied inflates its earnings by charging excessive interest rates and fees to 
companies it controls but does not consolidate in its financial results, while disclosing little about 
the performance of these companies. And its small business lending unit has defrauded the SBA 
and the USDA government lending programs out of hundreds of millions of dollars. All the 
while, we had seen Allied attempt to outgrow its problem investments by raising new capital 
from unknowing investors. 

I discussed Allied’s problems at the research conference in 2002. In response to my 
speech, instead of examining and cleaning up these problems. Allied decided to attack me. The 
company began a systematic campaign to discredit me, publicly attacking my reputation and my 
motivations. But ultimately the public - and the regulators - began to see through Allied’s 
tactics. The SEC began an investigation into Allied in 2004 about the very practices I had 
accused Allied of from the beginning. Later that same year, the U.S. Attorney for the District of 
Colmnbia began a criminal investigation. 

In its zeal to silence its critics, Allied used extreme measures. But even I did not believe 
Allied would go so far as to invade the privacy of my home and family. I was wrong. In an 
apparent attempt to find some piece of information to embarrass and discredit its critics, Allied 
retained private investigators to obtain its critics’ personal and business phone records, including 
mine. 


3 



89 


In 2004, Herb Greenberg, a respected financial journalist for Dow Jones who had 
publicly criticized Allied, told me that his phone records had been illegally accessed. I 
subsequently learned that a woman unknown to me had called my long distance provider; 
identified herself as my wife; provided my wife’s social security number; and opened an online 
account to access our home telephone records. We then learned that the phone records of other 
known critics of Allied - including other hedge fimd managers, a journalist, a research analyst, 
an individual investor and a former media relations advisor to Greenlight - had been similarly 
illegally accessed. 

The FBI ultimately discovered the identity of the individual who had accessed my phone 
records, though they could not share that information with me. The phone records investigation 
was subsequently moved to the U.S. Attorney’s Office in Washington D.C., where the criminal 
probe of Allied was already underway. 

In March 2005, 1 wrote a private letter to Allied’s Board of Directors and told them that 
someone had stolen my wife’s social security number and used it to steal my phone records, 
along with the records of several other prominent Allied critics. I asked the Board to folly 
investigate what happened. A week later, I received a brush-off response that I had not provided 
sufficiently specific information for them to conduct an inquiry. A copy of my letter to Allied’s 
Board of Directors and Allied’s response is attached. 

In September 2006, after Hewlett-Packard’s CEO publicly admitted to involvement in 
very similar conduct and resigned, I wrote another private letter to the Chairman of the Audit 
Committee of Allied’s Board, reminding them of the seriousness of pretexting and once again 
asking them to investigate. Two weeks later the Board responded that it had looked into my 
allegations and found no evidence to support my claim. Copies of these letten are also attached 


4 



90 


At the same time, Allied’s management went on the offensive yet again. On the 

November 8, 2006 earnings conference call. Allied’s CEO, William Walton, spent several 

minutes attacking my motivations and stating that my concerns about my stolen phone records 

were “yet just another example of Mr. Einhom’s tactics.” He recounted my letters to Allied’s 

Board and their prompt denials. He criticized me for not providing more evidence. And he 

issued his own denial that anyone at Allied had accessed my records, saying: 

There is simply no evidence to support a claim that Allied tried to access 
Einhom’s phone records. We never received his records and all that the article 
points to in support of this claim is the word of Einhom, an individual with a 
motive to depress Allied Capital’s stock. 

Only three months later, Allied completely changed its story. On Febmary 6, 2007, 

Allied issued a press release innocuously titled “Allied Capital Comments on Recent Events.” 

Allied admitted that its “agent” had stolen not only my home phone records, but also 

Greenlight’s records. The release read; 

Allied Capital Corporation announced today that, in late December 2006, it 
received a subpoena from the United States Attorney's Office for the District of 
Columbia requesting, among other things, the production of records regarding 
the use of private investigators by Allied Capital or its agents. The Board 
established a committee, which was advised by its own counsel, to review the 
following matter. 

In the course of gathering documents responsive to the subpoena. Allied 
Capital has become aware that an agent of the Company obtained what were 
represented to be telephone records of David Einhom and which purport to be 
records of calls from Greenlight Capital during a period of time in 2005. 

Also, while Allied Capital was gathering documents responsive to the 
subpoena, allegations were made that Allied Capital management had 
authorized the acquisition of these records and that management was 
subsequently advised that these records had been obtained. The management of 
Allied Capital states that these allegations are not frue. 


5 



91 


Until Allied issued this press release, I had not known that Greenlight’s phone records 
had also been stolen. For them to admit this, the evidence must have been extremely clear. 

After denials since 2005, only a grand jury subpoena from the U.S. Attorney’s Office finally 
pried the truth out of Allied. 

The press release was a model of evasion, however, and not at all consistent with the 
disclosure expected of a public company. Who had made the allegations? Who had obtained the 
records? Who had authorized the theft, and for what purpose? What did they do with this 
information? And what else did these agents do to gather information about their critics? The 
release did not even deny that Allied had authorized the theft of my phone records. It only stated 
that “management of Allied Capital states” that this was not true. The release said there would 
be no further comment, effectively refusing to answer these questions or clarify this muddled 
statement. 

For me, the theft of my personal phone records and my wife’s personal information has 
done more than just confirmed my views about Allied. It has struck at my sense of security and 
the protection I have put around my family and my home. After the Hewlett Packard pretexting 
scandal, HP immediately apologized to the victims and promised to give the victims a full 
accomit. But to date, I have heard nothing from Allied. No one has contacted me to apologize or 
explain who invaded my privacy and my family’s privacy. Allied has not yet admitted to taking 
anyone else’s records. Of course, they don’t deny it, either. It is simply not credible that Allied 
management did not know about this. 

This pretexting strikes at the ethical heart of the securities markets, which are based on 
the free and fair flow of ideas, critical and otherwise. It is a cold reality that companies, left to 
their own devices, will rarely divulge the full truth about their problems. It is left to others - 


6 



92 


regulators, analysts, the media, and investors like myself - to hold these companies accountable. 
The free exchange of ideas in our market system depends on the very people who were pretexted 
in this case. 

But that system is under attack; more and more, the instinct of a company tmder attack 
from critics is to hit back harder, not to address the underlying problem. Unless companies like 
Allied are told in no uncertain terms to stop, this trend will escalate. There are many valuable 
voices in the marketplace who will choose not to criticize companies for fear of being retaliated 
against. Nobody wants their privacy violated. As the Committee has noted in this very 
legislation, actions such as pretexting can lead to harassment and intimidation. It can also lead to 
less information in the marketplace. A line must be drawn. 

I support this legislation. There is no question that pretexting is a criminal activity under 
any number of federal and state laws. But there is no law specifically designed to address 
pretexting and the harm that it causes. That a company like Allied believes it can have agents 
pose as me or my wife in order to steal our personal records is proof that the seriousness of 
pretexting has not truly been communicated to the public. I believe that the Prevention of 
Fraudulent Access to Phone Records Act is an important step in raising the public’s awareness of 
this issue and will enhance the protections available to the ordinary citizen against unauthorized 
invasions of their privacy. 


7 



Marclill,2005 

Dear Allied Capital Corporation Director 


I write to inform you directly of the continuing misconduct of Allied Capital’s 
management, conduct that 1 believe warrants an independent investigation by the Board. 

As you know, I have been a critic of your con^any for almost three years and have 
documented many of my criticisms publicly. These criticisms have largely proven to be 
true over time and have been bolstered by tite ongoing investigations by the U.S. Attorney 
for flte District of Columbia and the SEC into Allied and its small business lending unit. 
Business Loan Express (“BLX”). 

Yet, instead of addressing the underlying problems with the company, Allied’s 
management has attempted to deflect attention from such criticism by misrepresenting 
facts to the public, levying personal attacks against me and using other tactics which are 
troubling, to say the least Such actions signal that Allied’s management has more interest 
in concealing the company’s problems than in addressing them. This is hardly surprising 
since it was Allied’s management tiiat engineered these problems in the first place. As this 
has all unfolded, however, it appears that AlUed’s Board of Directors has remained 
strangely silent 

As you are no doubt aware, the SEC and the U.S. Attorney’s Office in the District of 
Columbia are investigating Allied and BLX. Management has told the public that these 
investigations relate to “issues similar to those raised by short sellers over the past two and 
one-h^ years,”' apparently referring to, among other things, the assignment of several 
defaulted loans by BLX to Allied in early 2003. That assignment, however, is only one 
example of the widespread fraud that has occurred at BLX under the stewardship of the 
current management. 

Specifically, Allied has felsely maintained and increased its valuation of BLX tiirough a 
scheme dependent on the commission of systematic fraud against the Small Business 
Administration and, as a result, against the taxpaying citizens of the United States. I have 
learned that BLX has maintained its loan origination volume only by knowingly approving 
loan applications that fail to comply with SBA regulations. These applications, among 
other tilings, have fraudulently iiiflated property and coUateial values, foiled to vaify 
equity injections, contained impermissible property splits and property flips, and other 
violations of SBA rules that were concealed finm the agency. AdditionaEy, many of these 
loans were the subject of improper loan brokering arrangements. 


' Allied Press Release dated December 27, 2004, attached to its Form 8-K. dated Deoembffl’ 27, 2004 as 
Exhibit 99.1. 


2 Grand Central Tower « 140 East 45'" Street, 24'*' Floor * Hew York, NY 10017 
Phone; 212-973-1900 • Fax 212-973-9219 • www.greenlightcapital.cora 



By approving such loans, BLX is able to immediately recognize income around the time of 
loan origination, because it uses gain-on-sale accounting. BLX needs to continually 
increase its origination volume to support its revenue grotvth. This pressure to increase 
origination volume leads to the approval of additional fraudulent loan applications. This 
pyramid scheme has allowed Allied to recognize enormous fees, interest and dividends 
from BLX, while it values BLX far above its actual worth. And it is Allied’s and BLX’s 
execution of this schtane, I believe, that has led the SEC and the U.S. Attorney’s Office to 
initiate their investigations. 

Eventually, when the loans default, BLX receives a guarantee payment from the SBA by 
concealing the feet that the loans should not qualify for a guarantee because of the 
fraudulent origination. It would not surprise me if BLX or Allied is ultimately required to 
repay the government millions of dollars upon completion of the government 
investigations. 

Allied’s management, however, has entirely failed to respond to these problems. Instead, 
management has issued false and misleading public statements dealing with such clearly 
material fects as the status of government investigations. For example, during Allied’s 
fourth quarter 2002 conference call on February 13, 2003, 1 asked Ms. Joan Sweeney the 
following question: 

EINHORN: Could you comment at aU relating to (he office of Inspector 
OeneraJ in the SBA that I understand has been calling around people close 
to Business [Loan] Express, what do you think they’re looking into and is 
there an investigation mid if so what do you believe the states to he? 

SWEENEY: You know, David, I don’t know. I mean, clearly, BLX is a 
regulated entity by die SBA. They’re routinely audit^ by ffie SBA. I 
know that the office of Inspector General tj^ically woiks with die SBA 
looking at SBA lenders. It’s usually a routine - they are usually routine 
inquiries, if there is an inquiry. So that’s about all I can say. We don’t 
knovr the nature of any sort of inquiry. So, you know, again this htqipens 
routinely in the SBA lending market. (EmphMis added.) 

Ms. Sweeney made the above statement only weeks after she personally executed the 
questionable Assignment Agreement and the SBA required Allied/BLX to reimbuise it for 
$5.3 million in guarantee payments relating to loans that the SBA had investigated and 
disqualified. 

In li^t of these facts, Ms. Sweeney’s claim that “we don’t know the nature of any sort of 
inquiry” was materially felse and misleading. Moreover, Allied management chose not to 
disclose either the SBA investigation, the disqualification of the loans, or the Assignment 
Agreement until more than a year afterward. This raises serious issues about the honesty 
of management with its shareholders and perhaps with the Board. As the Board of 



95 


Pages 


Directors could not have sanctioned such public misrepresentations, the question you need 
to ask is, are they lying to you as well? 

Finally, you may already have read a MarfcetWatch article published on February 1 of this 
year, which noted that an tinknown individual had illegally accessed phone records of 
several prominent Allied critics. The article finther noted that the FBI was conducting an 
investigation of this incident Although I have refrained from commenting publicly on this 
matter, my home phone records were among the records that were illegally access^. 
Specifically, according to my long distance provider, someone opened an online account in 
my wife’s luune, and directed the phone company to send copies of our bills to an AOL 
account. Like me, at least four additional individuals have been the victims of this identity 
theft and access device firaud. The only link that connects the victims is that they have all 
been critics of Allied. 

I am quite femiliar with Allied’s aggressive tactics against its critics, including attacking 
them with untrue disparaging statements by management and its agents like Lanny Davis. 
It would not be surprising to me if the FBI discovered that Allied management was 
somehow involved in these identity thefts. 

In short, there is considerable evidence that Allied’s management has conducted business 
in a dishonest and inappropriate manner. Indeed, I have refiuined from including in this 
letter the bulk of my research, numerous false and misleading statements issued by 
management and ray financial criticism of the company. 

I believe you have an obligation to examine the possibly unethical or even criminal 
behavior of Allied’s management and take action to prevent further misconduct. I believe 
that the Board has a responsibility to ensure that individuals who act in this maimer do not 
serve in a management capacity in a publicly traded company. 

Respectfully, 

David Einhom 





96 


83/23/S005 15:05 2127843075 




^AlliedCapital 


QREENLIGHT 


PAGE 02/02 


}9»3 f^nnsyhwftia Atf#ni»e, NW 
Washington, t>C 20006*3434 
202-331-1112 
202-65S-2053 Fax 


Mslfch 18» 2005 


Ml. David Eijjhotn 
Firesidcnt 

GteeaHgiit CapitBl, LLC 
140 Bast 45tii Stwet 
24tis floor 

New York, NY 10017 


Deal Mr. BSnhomt 

I vrritc iti mpoziae tx? yout letter of MateK It, 2005, on behalf of the Board of Dincctors of Allied 
Capital Cotporation. 

Wc are ^miliar with the allegations you have made in the past witia respect to Allied Capital md Its 
txiana^Mnent, and hare on a number of occasioa* request^ and received infiaxmatios flt>m 
management and fcorn outiude cotmael with re^ct to (he &cts> That mfotmation has not 
5tq»poreed your accusations of misconduct Tim Is comhined with what we undttsi^nd to be your 
flnanckl stake in depressing Allied Cspited's stock price and your efforts to persuade other parties 
not to do boaiaess widi AlHed Capitid. 

Punuant to its charter, the Audit Committee ih audtomed by the Board to receive and evaluate 
any evidence of wrongdoic^ by AlHed Capital, its ofBcets or employees. If you provide m with 
specific mfotmatbo upon, which you base you* allcgatioos, wc can detm-mtoe whether furdier action 
is warranted. Please address any cortupondence, marked **eonfideotial” to the Audit Committee 
Qudmian, c/o Co.tpoeatc Secretary, Ali^ Capital Corpotatioii, 1919 Pennsylvaaia Avenue, NW, 
Washic^toa, DC 20006. 

Rcspectfolly, 



V Brooks H. vtewne 

Chairtnim of tie Audit Committee 


www.ain*(itap!uf.<dm 



97 




GREENLIGHT 


September 15, 2006 

Brooks H. Brovrae 
Chairman of the Atidit Committee 
AUied Capital 

1919 Pennsylvania Avenue, NW 
Washington, DC 20006-3434: 

Dear Mr. Browne; 


On March 1 1 , 2005, 1 wrote to you concerning the continuing misconduct of Allied 
Capital’s man^ement. I provided detailed specifics concerning several aspects of the 
fraud being perpetrated by management against both the public and die government, 
including; (1) management’s scheme to maintain an artificially hi^ valuation of its 
small-business lending unit. Business Loan Express (“BLX”) by defiauding the Small 
Business Administratjon; (2) management’s misrepresentations to public conceaning the 
performance of Allied and BLX; and (3) illegal attempts to access mv confidentiaL 

personal information la technique called “pretexting”! bv individuals who likely acted at 

the diiection of. or had some connection to. Allied m anatrement. As you are well aware, 
all of these aspects of management conduct are currently imder investigation by die 
Department of Justice and the SEC. 

Your response to my March 1 1 letter contained no specific information and simply said 
that the information received fiom management and outside counsel did not support any 
of the accusations of misconduct You did not specifically address the “pretexting” issue. 

However, recent public events have made clear die degree to which the Board has 
underestimated the seriousness - and criminal nature - of the conduct described in my 
earlier letter, including the “pretexting” issue. I therefore write again in the hopes that 
the Board will now take these issues more seriously. 

Regarding pretexting: as the news media has recently reported, Hewlett-Packard’s former 
chairwoman, Patricia Dunn, in an apparent effort to discover the source of boardroom 
leaks to the media, employed Investigators wte) in turn illegally accessed fte phone 
records of both membCTS of HP’s board and reporters for various news organteations who 
had published articles critical of HP. The met^s employed by the investigators hired 
by Ms. Dunn were essentially identical to the methods us^ to acc^ my own telephone 
records. As several news organizations have reported, tiie contractor fiOsely used 
individuals’ names, telephone numbers and social security numbers to illegally access 
their phone records online. This is precisely the manner in which my own records - and 
the records of several notable Allied critics - were accessed. 

As the investigations into HP’s conduct plainly demonstrate, illegally accessing an 
individual’s confidential records constitutes calminal conduct . The repercussions to HP 

2 Grand Central Tower, 140 East 45th Street, 24th Floor, New York, NY 10017 
Phone: 212-973-1900 ‘Fax; 212-97^-9219 • www.greenlightcapital.coin 



98 


for use of fliis technique have gone far heyond mere embanassment to the company. Ms. 
Dunn has already resigned. Congress, festal and state prosecutorial and investigatory 
agencies have all initiated investigations into HP’s use of preteKdng. The Attorney 
General of California, Bill Lockyer, has indicated that he has sufBdent information to 
indict several individuals, both wiflnn and outside HP. 

The only group of individuals with any motive to access my phone recmds and the 
records of four other prominent Allied critics is Allied management. In light of the 
public outcry and potential criminal indictments resulting from HP’s conduct, the Board 
cannot pretend that such use of pretexting is not a serious matter. Indeed, the pretexting 
in diis case does not merely concern leaks, but is far more serious. If Allied management 
was involved in illegally accessing the phone records of its critics, such pretexting 
constitutes an attmnpt by a company to interfere with and chill its critics and therefore 
skew the flow of information which is critical to the securities markets. The Board 
clearly has an obEgation to investigate such potential criminal conduct by Allied’s 
management 

In short, the Board owes a fiduciary duty to Allied and its shareholders to conduct a 
thorough investigation to determine wheth« in fact Allied management was involved in 
any way in the pretexting scheme. If criminal conduct was committed, appropriate steps 
must be taken including but not limited to reporting that conduct. I will be h^ipy to 
provide the Board with any additional information that will be of assistance in such an 
investigation, subject to any restrictions placed on such information by governmental 
agencies curr^itly investigating the same matter. If you deny that Allied manag^ent or 
its agmrts were involved in any way in pretexting or accessing my teiqfoone records then 
please confirm that feet for me; otherwise, I will assume tiiat the clear inference that 
Allied management engaged in this illegal conduct is in feet true. 

Yours, 

David Einhom 


2 


iGBEBBJGHT 



99 


A 


K\ujedCapital 


S^tembea-29, 2006 


Mr. David Einliom 
President 

Grcealight Capital, LLC 
140 East 45th Street 
24* Floor 

New York, NY 10017 


1919 ?snnsy1v»nl« Avsnus, NW 
3rd Floor 
Wishingtew. DC 2000A 
yoi» 202-721-A100 
Ux 202-721-6101 
wv«nv.3tli«cEca pitai.com 


DearMr. EijihcHii: 

On behalf of the Board of Directors of Allied Capital Corporation, I write in re^wnse to 
your letter dated S^tanber 15, 2006, which was addressed to Brooks Browne, fenner 
Chainnan of Allied’s Audit Committee. 

We have looked into your allegations that Allied’s management played a role in an 
idtenqit to access your phone records and have found no evidence to support your claim. 
As noted in Mr. Browne's March 16, 2005, letter to you, the Allied Board remains 
skq)tical of the motive behind your allegations, given your history of making broad 
accusations of misconduct against Allied management while simultaneously having an 
apparent financial motive to depress Allied’s stock price. The Board is thMefbre not 
di^sed to credit your claims without coiroborating evidence. Notwithstanding our 
March 16, 2005 invitation for you to provide us wifli any suppoiting evidence of your 
own, you have supplied none. 

As Mr. Browne explained in his March 16, 2005 letter. Allied’s Board has authorized the 
Audit Committee to receive and evaluate any evidence of wrongdoing by Allied 
management fiiat you are pt^ared to provi^ In the evait that we receive any such 
material, we will considef what, if any, further action is warranted. Please address any 
correspondence, marked ’’confidential’’, to the Audit Committee Chairman, c/o Corporate 
Secretary, Allied Cipital Corporation, 1919 Pamssdvania Avenue, NW, Washington, DC 
20006. 


Respectfully, 

Ann Torre Bates 

Chairman of the Audit Committee 



100 


Ms. DeGette. Thank you very much, Mr. Einhorn. 

The Chair recognizes herself for 5 minutes. 

I am wondering, Ms. Fames, if you can tell us what the position 
of the Department of Justice is on this legislation, because I know 
your agency works closely with the DOJ. 

Ms. Parnes. We do work very closely with the Department of 
Justice, but unfortunately, I don’t have their position on this legis- 
lation, on this bill. 

Ms. DeGette. And are you aware of any objection by any law en- 
forcement agency to this legislation? 

Ms. Parnes. I am not, but honestly, we have not, at the FTC, 
done a kind of review of other Federal agencies and whether they 
have any concerns on this. We have worked with the committee’s 
staff on technical issues, and as you know, we generally support 
this. 

Ms. DeGette. Yes. And there is an exemption in the bill for law 
enforcement, I believe. 

Ms. Parnes. Yes, there is. 

Ms. DeGette. Ms. Parnes, I am wondering. Can you give me an 
update? And I am going to ask you, Mr. Rotenberg, also this ques- 
tion. What is the status of pretexting in America today? Have we 
seen the problem worsening since last year or improving? 

Ms. Parnes. It is hard to know exactly what is going on in the 
industry generally. I can tell you what some of our experiences 
have been in investigations. 

The targets that we have sued, we identified them, as I indi- 
cated, by going online and then by making some undercover pur- 
chases of phone records. And I should note, we bought the records 
of FTC employees. 

Ms. DeGette. With their consent? 

Ms. Parnes. Yes, absolutely with their consent. But we have 
done that. We have attempted some undercover buys more re- 
cently, and we have been told, “Oh, we don’t do that anymore.” Or, 
“We simply can’t get that for you.” So we have some sense that cer- 
tainly the criminal law that was passed may be having a real im- 
pact here. 

Ms. DeGette. Right. 

Mr. Rotenberg. 

Mr. Rotenberg. Our understanding, Madame Chairman, is that 
the type of very brazen pretexting where the services were pro- 
vided over the Internet in a 24-hour turnaround, for example, was 
guaranteed, there is much less of that today than there was in the 
past, in part because of the FTC investigation. The private inves- 
tigators continue to use pretexting, as do others, as a way to obtain 
personal information about others. 

Ms. DeGette. And have you seen any change in the type of in- 
formation these private investigators are seeking? 

Mr. Rotenberg. That would be a difficult question to answer, 
but I will say, because people sometimes don’t understand exactly 
what the significance of the call detail information is, those month- 
ly billing statements that consumers receive from the wireless 
phone companies in particular, that listing is the type of informa- 
tion that is still very easy to get from the telephone companies by 
going, for example, to an online Web site that is set up to provide 



101 


that type of information. So we are still seeing the availability of 
the monthly call detail information being made available. 

Ms. DeGette. Mr. Einhorn, you would have never known any- 
thing about the pretexting of your family and business records un- 
less a market watch journalist told you what Allied Capital was 
doing, is that correct? 

Mr. Einhorn. That is correct. I would not have had any way to 
know. 

Ms. DeGette. And this is, by the way, what we also found last 
year in our investigation that people found out inadvertently that 
they had been pretexted. Do you know how many other people had 
their phone records pretexted by an agent of Allied Capital besides 
you and the journalist? 

Mr. Einhorn. I believe, at least that we have been able to iden- 
tify, at least six individuals. 

Ms. DeGette. And can you identify, for the record, who the 
phone carrier who surrendered your records to the imposter pre- 
tending to be your wife? 

Mr. Einhorn. It was AT&T. 

Ms. DeGette. Have you talked to AT&T? 

Mr. Einhorn. My wife talked to AT&T. 

Ms. DeGette. And what was their response? 

Mr. Einhorn. They were able to identify when the pretexting 
had occurred, how it was done, that her Social Security number 
had been provided, what date that happened at, where the records 
were sent in terms of an Internet e-mail account where they were 
e-mailed to, and when the account was most recently accessed. Be- 
yond that, they had no other information for us. 

Ms. DeGette. Do you agree with the bill’s provisions that en- 
hance the FTC’s enforcement tools against pretexting, soliciting 
pretexting, or selling stolen phone records? 

Mr. Einhorn. Absolutely. I think that there is really no place for 
this, and I would support all of the efforts that are being con- 
templated to cut down and eliminate this practice. 

Ms. DeGette. Thank you very much. 

The Chair now recognizes the distinguished ranking member, 
Mr. Barton, for 5 minutes. 

Mr. Barton. Thank you, Madame Chairman. 

Mr. Rotenberg, is there any reason an individual would tend to 
want his or her phone records shared without them knowing about 
it? 

Mr. Rotenberg. Well, generally speaking, I don’t think so, sir. 
A person who wants to disclose personal information to someone 
else would typically do that affirmatively. To get a bank loan, for 
example, you provide a lot of information to the bank so that they 
can make a determination, but that is a process you would initiate. 

Mr. Barton. But just as a matter of course, most normal human 
beings would rather they know if somebody wants that information 
so that they can make a decision whether to give it to them or not, 
would you agree? 

Mr. Rotenberg. Yes, I think that is correct. 

Mr. Barton. Now, I think we have general support for this bill, 
but Mr. Largent and Mr. McCormick, their trade groups seem to 
not like section 202, which changes current law from saying the 



102 


phone company can share that information without letting the indi- 
vidual know, unless the individual tells them ahead of time not to 
share it. That is the current law. section 202 changes it that Mr. 
Largent’s company’s trade groups and Mr. McCormick’s would have 
to go to the individual and say, “May we share your information?” 
That seems to be the most controversial element in this new bill. 
It would seem, if we are trying to protect privacy, that changing 
this from opt-out to opt-in makes a lot of sense. Do you agree with 
this section 202? 

Mr. Rotenberg. Yes, I do, Mr. Barton, and if I may also say, 
while we are critical of the FCC’s delay on our petition, we were 
nonetheless heartened, you may recall that Chairman Martin, 
when he spoke to this issue at the hearing last year, said that he 
thought the opt-in was important for consumer privacy. And I 
think there would be, certainly among consumers, recognition right 
away that the right way to do this is opt-in, based on permission. 

Mr. Barton. Now I want to give Mr. Largent and Mr. McCor- 
mick, who are both good friends of mine, an opportunity to expand 
if I understood incorrectly in their prepared testimony why they 
have a problem with section 202. 

Mr. McCormick. Thank you, Mr. Barton. I think that our con- 
cerns are fairly narrow and focused. 

Let me give you an example. 

We, today, look at purchasing patterns. For example, if a cus- 
tomer is taking telephone service and Internet access, as we move 
into new broadband applications, like video, we would like to be 
able to go to that customer and offer to that customer a pro- 
motional offering where we would add in video as part of a bundled 
package. In that regard, we would be competing against the cable 
industry, who is going to its video customers and saying, “We will 
add on voice service. Since you are already a cable customer, we 
will offer you a promotional offering to add on voice service.” In 
that regard, no call-detail information is shared with anyone. There 
is nothing other than the knowledge of what kind of package that 
customer currently has and whether or not that customer would 
benefit from a broader package. And we believe that it would lead 
to a competitive imbalance if we were unable to approach our cus- 
tomers in that way. 

Mr. Barton. I don’t understand. I have got a little bit of a cold, 
so maybe I am just not clued in, but there is nothing in the bill, 
if it becomes law, that prevents anybody from soliciting for new 
services to people that they have the addresses of, whether it is a 
hard-line address, a regular mail address, or a phone number, or 
an e-mail. All this says is if you want to share that individual’s in- 
formation, you have got to get their permission before you share it. 
I don’t see how this bill would prevent what you just said you 
wanted to do. 

Mr. McCormick. Mr. Barton, if that is the intent, I think that 
it would be easy to come up with clarifying language that would 
clarify that we are permitted to engage in that kind of broader 
market. 

Mr. Barton. OK. Steve? 

Mr. Largent. Yes, Mr. Barton. I just would say that there is 
some ambiguity about what the language actually does and what 



103 


it does not do. And the fact is that many of our companies utilize 
third parties to offer services just because it is less expensive. We 
can ofer that type of discount to our customers. So if the legisla- 
tion would get in the way of our use of third parties to offer serv- 
ices from our company, not anybody else’s company but from our 
company’s perspective, then that would be a problem, but if you are 
saying it is not going to get in the way of that, then perhaps we 
could work with you on the bill’s language. 

Mr. Barton. My staff says there is some ambiguity, so maybe we 
can work on this. 

My time is expired. Thank you. 

Ms. DeGette. The Chair now recognizes the distinguished chair- 
man of the Telecommunications Subcommittee, Mr. Mar key, for 5 
minutes. 

Mr. Markey. ok. first let me say that the five FCC Commis- 
sioners will be appearing before the Telecommunications and Inter- 
net Subcommittee on Wednesday of next week, so we certainly 
hope that the CPNI order will be completed by then and that it will 
have been done well by them, because that will be a central part 
of that hearing on Wednesday. 

Mr. Einhorn, is it important that victims be notified immediately 
that their carrier has learned that the privacy of the phone calls 
of an individual have been compromised? 

Mr. Einhorn. I would support the notion of the immediate notifi- 
cation of anybody whose information was compromised in that 
fashion, yes. 

Mr. MARKEY.Mr. Navin, do you think that is a good idea that im- 
mediate notice be given to people like Mr. Einhorn that their infor- 
mation has been compromised and that that becomes the rule for 
the telephone carriers? 

Mr. Navin. I do agree that it is important that consumers get 
prompt notification. 

Mr. Markey. I am saying immediate. 

Mr. Navin. As I understand it. States that have addressed this 
issue typically have an exception for notification of law enforce- 
ment, and it calls for prompt notification, but there is some provi- 
sion, specifically for law enforcement. 

Mr. Markey. But what should be the deadline for calling law en- 
forcement? 

Mr. Navin. What should be the precise deadline? 

Mr. Markey. See, what I want you to say is we call law enforce- 
ment and the customer immediately and let them know that they 
have been compromised and that law enforcement might be calling. 
But why should there be a delay? 

Mr. Navin. In the record in front of the Commission right now, 
the Deputy Attorney General sent a letter to the Commissioners, 
indicating the Department of Justice’s preference for law enforce- 
ment to be notified first, before the 

Mr. Markey. I have no problem with that, but what I am saying 
is Mr. Einhorn should get the next call, don’t you think? 

Mr. Navin. After law enforcement, yes, I think consumers should 
be notified. 

Mr. Markey. Yes. How long do you think a gap should be? Seven 
days, 1 day, or 1 hour? 



104 


Mr. Navin. I believe the Department of Justice has advocated for 
allowing them 7 days. 

Mr. Markey. I don’t think the Department of Justice should be 
listened to on that issue, and I think Mr. Einhorn should be lis- 
tened to and the millions of Americans whose information is com- 
promised. I think that the FCC should listen to the consumer, lis- 
ten to this committee. The CPNI laws are ours. We created them. 
We want the customer protected. Justice should not be given 7 
days to wait to notify people who have an ongoing crime being com- 
mitted against them. They should be notified immediately, as any- 
one whose house was burgled that it occurred. And if you don’t 
want to do that, then I think we are going to have a real problem 
next Wednesday. 

Mr. Largent, Mr. McCormick, a general question. Do you agree 
that customers have an ownership interest in their own personal 
information? Mr. McCormick? 

Mr. McCormick. I would say they have a strong privacy interest. 

Mr. Markey. Do they have an ownership interest? 

Mr. McCormick. Yes. 

Mr. McCormick. I would agree that customers have a strong pri- 
vacy — 

Mr. Markey. No, do they have an ownership interest in their 
own personal information? It is called the customer proprietary 
network information law. Do they own that information? 

Mr. McCormick. We have always regarded that information as 
the customers’ information, that is correct. 

Mr. Markey. OK. Mr. Largent, do you agree that it is the owner- 
ship interest of the consumer, his or her own information? 

Mr. Largent. I think Mr. Markey asked me that question last 
year at this hearing, and I said the same thing: yes, it is. 

Mr. Markey. OK. Thank you. I appreciate it. 

Mr. McCormick, what percentage of your member companies 
outsource customer support or billing or marketing functions to for- 
eign countries? 

Mr. McCormick. I do not know, Mr. Markey, but I would be 
happy to provide that information for the record. 

Mr. Markey. I would appreciate that. 

Mr. Largent, do you know what percentage of your companies 
outsource this information to other countries? 

Mr. Largent. No, I am not aware of what the exactly number 
would be, but we would be glad to get back to you on that. 

Mr. Markey. Obviously, that is a good question. We will shut 
down a lot of regional FCC offices, but we don’t have any FCC of- 
fices in India or Pakistan, so what happens with the information 
of the people in this room and watching this hearing is a good 
question when it is put overseas, so we would like to know what 
happens to that. 

Mr. Navin, does the FCC intend to impose a minimum system 
security requirement on the transfer of customer information? 

Mr. Navin. The proposed rule that the chairman has put before 
the Commission are prescriptive relating to access to the CPNI 
records, which deals directly with the pretexting issue. For exam- 
ple, they require a mandatory password to get access to call detail 
records. Relating to the security or safeguards, the proposed rules 



105 


ban the sharing of the CPNI with a joint venture partner or inde- 
pendent contractor without the express consent of the consumer. 

On the issue of transferring the security among affiliated compa- 
nies, the record is sparse on that issue. And right now, I am not 
sure if the Commission will determine to address that issue in this 
order or not. 

Mr. Markey. ok. I would like to get back to you, and thank you, 
Madame Chairman. 

Ms. DeGette. Thank you, Mr. Markey. 

The Chair now recognizes the distinguished gentle lady from Wy- 
oming, Mrs. Cubin, for 5 minutes. 

Mrs. Cubin. Thank you, Madame Chairman. 

I would like to ask Mr. Navin and Ms. Fames, under the scope 
of your Commissions’ investigations into this issue, I wonder if you 
could tell the committee if any specifically-rural companies have 
been investigated, or does this seem to be a problem that is most 
prevalent in large companies with large lists of personal data? 

Ms. Parnes. I am told that one of the cases that we brought ac- 
tually is located in Wyoming. 

Ms. Cubin. Could you comment, just for a moment, on the state 
of rural carriers’ privacy protection measures, if you are able to 
right now? I know you have a full plate. 

Ms. Parnes. I would actually have to defer to my colleague at 
the FCC about security practices by carriers. 

Ms. Cubin. Mr. Navin, can you offer the committee an update, 
if it is available, on how much you believe sections 202 and 203 of 
the bill will cost small and rural carriers? 

Mr. Navin. Unfortunately, we do not have an estimate on what 
it will cost carriers. 

In answer to your first question, I know that the agency has 
issued 20 letters of inquiry to various carriers. I imagine some of 
those carriers are smaller carriers, given the number of large car- 
riers, both on the wireless and wireline side. I don’t know specifi- 
cally what size of rural carrier the Commission has made those in- 
quiries of. I know that the Commission is always sensitive as it re- 
lates to implementation of its rules in rural areas and tends to give 
special consideration. In the rulemaking that is pending before the 
Commission, the rural carriers have pointed out that they have 
more limited resources, and my sense is that the Commissioners 
will be sensitive to that. 

Ms. Cubin. That is my main concern, that possibly they be in- 
cluded before any final rules are initiated, because it is a whole dif- 
ferent country out there. 

So I have no more questions, Madame Chairman. 

Ms. DeGette. The gentle lady yields back. 

The Chair now recognizes the distinguished gentleman from Illi- 
nois, Mr. Rush, for 5 minutes. 

Mr. Rush. Thank you, Madame Chairman. 

Ms. Parnes, I have three questions, and I am going to ask all 
three so that you can answer these questions, as you will. 

First of all, it is good to see you again. 

And the first question is, do I understand correctly that the FTC 
supports the thrust of this legislation, that you support this legisla- 
tion? 



106 


The second question, in September, the FTC testified before the 
O&I Subcommittee that you needed more specific prohibitions 
against pretexting for consumer phone records and soliciting or 
selling consumer phone records obtained through actual or reason- 
ably-known pretexting activities. Does this legislation adequately 
address that request? And if it doesn’t, then what specific changes 
do you recommend. 

And lastly, my question is you also recommended in that testi- 
mony that Congress give the FTC authority to seek civil penalties 
against violators, a remedy that the FTC does not currently have 
in cases involving matters such as pretexting. And for the record, 
I just want to know why the civil fine authority over at FTC does 
not apply in this situation and then whether or not our proposed 
legislation adequately addresses this need that you have voiced. 

Those are the three questions. Would you respond to them, 
please? 

Ms. Parnes. Absolutely. And thank you. 

The FTC does support this legislation. And in terms of the spe- 
cific prohibitions and the earlier testimony of the Commission, the 
legislation does address those issues. 

What the Commission’s concern has been is that, as I indicated, 
we have used our section 5 authority to go after both actual 
pretexters and those who solicit pretexting, the middlemen, so to 
speak. But we will want to make sure that any legislation that was 
adopted addressed both parts of this transaction, both the 
pretexters who call up the phone companies, engaging misrepresen- 
tations and get phone records and the middlemen, the data brokers 
who make claims and promise that they can get this information. 
The data brokers and the pretexters may sometimes be the same 
entity, but sometimes they may be separate entities, and we were 
just concerned, but this bill does address both sides of that. And 
we think that is a very good thing. 

In connection with the Commission’s civil penalty authority, the 
Commission has civil penalty authority in two circumstances. One 
is if conduct violates an order that the Commission has already ob- 
tained against a company. And the second is if conduct violates a 
role that the Commission has issued. We are able to get civil pen- 
alties only when we have engaged in rulemaking authority. And 
while we do have general rulemaking authority under the Federal 
Trade Commission Act, as you know, the FTC Act is very broad. 
It gives us authority over unfair or deceptive acts or practices in 
or affecting commerce. And in exchange for the ability to get civil 
penalties once we had adopted a rule. Congress set very specific 
procedures that the Commission has to go through in rulemaking. 
And they are very comprehensive. It takes a fairly long time for us 
to engage in. And so actually, what has happened since the 1990’s 
is that Congress, when they have wanted the FTC to obtain civil 
penalties and to engage in rulemaking, they have used a model 
very similar to the model used here. They have either said that the 
law shall be enforced by the FTC as if it is a rule or they have 
given the Commission very specific authority to engage in rule- 
making a particular area. Congress did that with the Tele- 
marketing Act, with the Can Spam Act, and it has actually been 
a very successful approach. 



107 


Ms. DeGette. The gentleman’s time has expired. 

Mr. Rush. Thank you, Madame Chairman. 

Ms. DeGette. Thank you. 

The Chair now recognizes the gentleman from Mississippi, Mr. 
Pickering, for 6 minutes. 

Mr. Pickering. Thank you, Madame Chairman. 

Earlier, Mr. Largent and Mr. McCormick, you all mentioned the 
issue of whether you would be able to joint market a bundle of 
services. Is there language that you would have that could clarify 
that issue so that those types of services, which I think the Com- 
mittee would want to see continued with the other protections as 
it relates to information, regardless of legitimate use of informa- 
tion, and is that something that you could supply the committee 
with? 

Mr. Largent. Yes, it is. We can get you that kind of information, 
and that is our concern with the legislation. 

Mr. Pickering. You often raise in your testimony, Mr. Largent, 
that as we go across the country, there is a patchwork of different 
initiatives on different things. Recently, the Commission has indi- 
cated a possible proposal that would move all wireless services into 
title I, which would give a Federal framework. And if that happens, 
would you support consumer protections like this as part of a Fed- 
eral framework? 

Mr. Largent. Well, what we are talking about specifically that 
Chairman Martin has mentioned this year is just moving the 
broadband portion of the wireless industry into title I from title II 
that would put us on the same ground with DSL and cable offer- 
ings and broadband over power line. They are already in title 1. 
Our services that are being rolled out over wireless are not in title 
I, so we are kind of competing on unleveled ground, and we are just 
trying to get to that level ground. 

Does that answer your question? 

Mr. Pickering. And broadband services under title I, if that 
were to occur, you would support a national consumer protection 
standard on these types of issues? 

Mr. Largent. Absolutely. Yes. 

Mr. Pickering. I thank you, Mr. Largent. 

Mr. Largent. Mr. Navin, let me follow-up on a question that Mr. 
Markey asked. 

If there are third parties that are being used to joint market and 
they are based overseas, whether it is Pakistan or India, are the 
U.S. laws still applicable and enforceable in those situations? 

Mr. Navin. That is an issue that the Commission is considering 
as part of a reconsideration of the order that it had put out in 
2002. I believe that the Department of Justice in its reply com- 
ments raised that exact issue. The Commission hasn’t yet resolved 
it. I think it gets into issues of treaty law and international law 
and not to be the primary subject certainly of my bureau, but I 
know that the Commission is studying that issue. And I can also 
tell you that it is not an issue that we address in the order that 
Chairman Martin has proposed for the Commission. 

Mr. Pickering. Ms. Parnes, do you have any comment on that 
issue of whether you would be able to enforce the law that we pass 
here if a third party is based in a country like India or Pakistan? 



108 


Ms. Parnes. The Commission does not have any jurisdiction over 
common carriers, but if we are talking about other entities, I think 
that if a business was located in the United States and they moved 
data outside of the country, we would take the position that the en- 
tity in the United States is responsible for their own data. In terms 
of looking at data brokers, as I mentioned, smaller businesses that 
may be located here or entities that may be outside of the United 
States, we would use the new authority that Congress gave us in 
the 109th session, the U.S. Safe Web Act, to go after those individ- 
uals. 

Mr. Pickering. All right. Thank you very much. 

Madame Chairman, I yield back the rest of my time. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the distinguished gentleman from 
Texas, Mr. Green, for 5 minutes. 

Mr. Green. Thank you, Madame Chairman. 

Mr. Largent and Mr. McCormick, are any of your companies now 
selling the information to third parties that you have on your cus- 
tomers? 

Mr. Largent. No. 

Mr. Green. OK. 

Mr. McCormick. No. 

Mr. Green. OK. That is one of the concerns. I think years ago 
when we had jurisdiction, and I mentioned it to you before the 
committee hearing over what became Oxley-Bliley. In fact, Steve, 
you might have been on the committee when we had that battle 
over the privacy issue. And I was told, at that time, by some of our 
financial institutions that it was such a profit center for them to 
market that information that they would have killed the bill, which 
is something they had been working on for 10 years before that. 
And so that takes care of part of the concern. And I guess I have 
the same concern that both the chairman on our Telecom Commit- 
tee and Mr. Pickering mentioned is enforcement of these privacy 
restrictions outside the United States. And I am glad the FTC said 
that you would hold responsible the person or the entity here, al- 
though you don’t have jurisdiction over common carriers. But 
again, I guess we can provide that jurisdiction that would go with 
that contracting to somewhere else, because I know now it is a 
laugh line on late night television that whether it is your computer 
you bought or your Internet service provider, you very well may be 
talking to someone in Pakistan or India or no telling where, and 
they probably have as much private information on your use as the 
telephone companies or wireless companies would have. 

I know numerous industries share information for marketing 
purposes, and that is part of our concern is Mr. Markey said that 
the consumers think it is their information, and they ought to be 
able to give permission to share it. This legislation, I know, puts 
restrictions on telephone companies as compared to cable because 
of where we are at today in our technology. And I know you have 
been asked for information on how we can address that issue, be- 
cause obviously our committee wants that competition between 
cable and hard-line, both for video and over the air and computer, 
high-speed, and also telephone service. Is there a standard that 
could be set across the multiple industries? What information could 



109 


be shared? Is there a standard anyone? And again, not just for the 
two representatives in wireless and the hard-line, but anybody on 
the panel, is there a standard that could be dealt with where I, as 
the consumer, could say, “Yes, I am your customer. You can contact 
me, but I don’t want you to share it with anyone else.” 

Mr. McCormick. Well, Congressman, I think that that kind of 
a standard would be a very, very broad standard. I mean, in effect, 
it would be a do-not-call standard, because virtually every business 
in the United States contacts its customers to talk to its customers 
about ability to take advantage of new offerings or discounts that 
it might have available. And so the real focus of the bill that we 
heard in the opening statements is really to protect that informa- 
tion that is call-detailed information. 

Mr. Green. OK. I am not talking about AT&T contacting me, but 
for AT&T providing my information to someone else or having ac- 
cess to it. so I don’t have any trouble with, if I have a contract with 
a cell phone company, we get contacts all of the time for other 
every 6 months to come in and renew your contract. I don’t mind 
that, because I am a customer, but for my information to be 
shared, and I think that is the concern of the committee and ulti- 
mately why we have this legislation. 

Mr. Largent. I would just say, Mr. Green, that I think where 
you are going is right, that we don’t have any problem saying, you 
know, that you can’t sell customer information to the automobile 
industry or an automobile dealer, because that is not the way we 
are using the information anyway. We are using it to market more 
services from our carriers, and that is it. And that is what we 
worry that the legislation may go a step too far in impeding our 
ability to market our services to our customers. And that is what 
we want to try to protect is the ability to market our services to 
our customers only. We are not talking about we want the ability 
to market balloons or baseballs or cars. 

Mr. Green. OK. 

Mr. Einhorn, I know your situation is not that, but as the con- 
sumer sitting at the table along with, what is your feeling? And 
well, I have run out of time, but Madame Chairman, if he could 
just be allowed to answer. 

Ms. DeGette. Yes, without objection, the gentleman will be al- 
lowed to answer. 

Mr. Einhorn. I am not actually clear what the question I am 
being asked is. 

Mr. Green. The question was your situation was different. I 
know you are here on, really, part one of the bill, and I don’t think 
there is any question at all about support for that, but to also try 
to expand it to where consumers shouldn’t have their information 
shared with someone else, do you think there is a standard that 
you, as a consumer, would feel comfortable with that they could 
share your information across industries, which 

Mr. Einhorn. I think my general view is that, who I am calling 
for how long at what time and what those people’s phone numbers 
are, is information that really doesn’t belong to anybody and really 
shouldn’t be used for any purpose, in my mind, other than sending 
me a bill to tell me how much to pay the phone company. 



110 


Mr. Green. Well, I think we agree on that that who I call and 
whatever ought to he my own information, and I need to share 
that. 

Ms. DeGette. Thank you, Mr. Einhorn. 

The Chair now recognizes the distinguished gentleman from 
California, Mr. Radanovich, for 5 minutes. 

Mr. Radanovich. Thank you, Madame Chairman. 

I do have one question regarding the opt-in/opt-out impact of this 
kind of legislation, and if something like that were required in this 
bill, would it set this industry apart from other industries. In, for 
example, health medical records, it is an opt-out thing. Does any- 
body have any comment on that? 

Mr. Largent. Well, Congressman Radanovich, I would just say 
that previous attempts to require opt-in consent have been held to 
be unconstitutional. And but to be fair, those instances did not in- 
volve cases where Congress had spoken on this issue, so we are 
talking about two different cases where Congress’s, obviously, in- 
tent to speak on this issue, it may not be unconstitutional or found 
unconstitutional, but it could be, and I think that is an open ques- 
tion. 

Mr. Radanovich. Well, and if it did become part of the language 
of the bill and come into law, it would be different than other in- 
dustries, it does sound like, though, right? 

Mr. Largent. Yes. 

Mr. Rotenberg. Congressman, could I respond? 

Mr. Radanovich. Sure. 

Mr. Rotenberg. Two points. Just to clarify what Mr. Largent 
said, the U.S. West case from 1999 concerning an earlier opt-in 
rule was narrowly struck down, as Mr. Largent described, because 
it was based on the regulation and not statute, and so of course, 
if you have a statute, I think that problem goes away. And in sub- 
sequent cases, I should point out, other Federal appellate courts 
have upheld similar rules. 

Now as to your original question, is there a reason for having 
opt-in here where there might not be opt-in in other privacy stat- 
utes, I think the answer to that question is the sensitivity of this 
information, that this is the real-time data associated with who you 
are calling, when, and for how long, and that is information that 
is specifically protected in section 222 of the Communications Act. 
That actually has a long, long history of privacy protection, and I 
think that is the reason you would want opt-in. 

Mr. Radanovich. All right. Thank you. 

If no other response, then I yield back. 

Ms. DeGette. The gentleman yields back. 

The Chair recognizes the distinguished gentleman from Texas, 
Mr. Gonzalez, for 8 minutes. 

Mr. Gonzalez. Thank you very much, Madame Chairman. 

And quickly, just a kind of general observation so you know basi- 
cally where I am coming from, and then I will get into specific 
questions. 

But the way I view what we do here, and I know that we are 
visiting the same territory, is what Mr. Markey established from 
the beginning. No witness here and no witness in previous hear- 
ings, and those were representatives and CEOs from the tele- 



Ill 


communications industries themselves, that acknowledged that the 
property belongs to the customers. So let us start off with that 
basic premise. The information belongs to the citizen and to the 
customer. 

As to disparate treatment of that information and the require- 
ments, the Government may impose as to safeguards and security 
measures, that, I believe, is basically, established by what I think 
is the hierarchy of information depending on the type of informa- 
tion. 

First and foremost, I think, it is always going to be medical 
records. And how we arrive at that is just, basically, human na- 
ture. 

Second, I think you are going to run into telephone records. 

And then third, financial records. 

And the fact that we may treat the type of information, how we 
safeguard it and disseminate it differently is because there is that 
hierarchy. And I think we have to acknowledge that. 

Now does it place any particular business that operates in those 
different areas at a disadvantage from those other businesses? The 
answer is going to be yes, because there are higher standards for 
healthcare providers and so on. 

What I am getting at, and I am going to address Mr. Largent 
and Mr. McCormick’s concern that it would place certain members 
of a specific industry at a disadvantage. That I think we can ad- 
dress within this hierarchy: telephone records, telecommunications, 
everything that is going out there in the telecom industry. And 
surely, we don’t want to do something that does place you at a dis- 
advantage regarding the marketing of your services and such and 
to expand and to be successful. So I am familiar with that. 

Now the reason that the legislation we address to all of you is 
because you are the gatekeepers, and that is the most obvious 
starting point, and we are going to deal with the criminals and the 
scammers and everybody else. And we can do that criminally. But 
I think it still goes back to what Mr. Rotenberg pointed out is that 
if we really start with the safeguarding measures, we probably 
could avoid quite a bit, which leads me to the first question of the 
entire panel, not Mr. Einhorn, I am sorry, because you are actually 
the citizen victim, but I will reserve a question for you, and this 
involves you. 

A yes or no answer, because I think you can answer this yes or 
no. To the extent that you understand this piece of legislation that 
we are attempting to pass, had it been in place at the time of the 
Einhorn family, what borders on a tragedy, actually, but their ex- 
perience, would it have prevented that experience by the Einhorn 
family? Ms. Fames, had it been in place, would it have made any 
difference? 

Ms. Parnes. Well, to the extent that you are asking about the 
operation of title II, it is not an area for us. 

Mr. Gonzalez. If you can’t answer, that is fine. 

Mr. Navin? 

Mr. Navin. Yes, I am afraid I have to tread carefully here, too. 
There is typically a protocol and procedure for the Commission to 
give technical assistance to the committee, which, of course, we are 



112 


always happy to do. I don’t believe we were asked for it on this par- 
ticular bill, but I would prefer to use that process. 

Mr. Gonzalez. OK. The Federal Government at work. 

Mr. Rotenberg? 

Mr. Rotenberg. Well, Mr. Gonzalez, since we initiated the peti- 
tion of security standards, while I can’t say with certainty it would 
have prevented what happened to Mr. Einhorn, I think it is clear 
that if stronger security standards were in place, it would have 
been much more difficult for someone to improperly get access to 
Mr. Einhorn’s family’s calling records. 

Mr. Gonzalez. And this bill would have accomplished that? 

Mr. Rotenberg. Yes, I believe it would have. 

Mr. Gonzalez. Mr. Largent? 

Mr. Largent. I would say that the security measures that the 
companies have enacted since this came to light, and it was about 
the same time that he had his problems, are going a long way to 
prevent it from happening again. I would tell you that the threat 
of prosecution of pretexters has essentially evaporated the Internet 
solicitation for people to get numbers through pretexting. So we 
have already come a long way, but whether it would have actually 
addressed his concern, I think that is an open question, and I am 
not sure. 

Mr. Gonzalez. Mr. McCormick? 

Mr. McCormick. Yes, Congressman. I would agree with Mr. 
Largent. I received a briefing the other day on the security proto- 
cols that had been implemented by the companies during the 
course of the last year, and the protocols would directly address the 
way in which an inbound call under pretexter-obtained informa- 
tion. Our concern, under this legislation, though, is that it also ad- 
dresses outbound calls. There has never been a situation where one 
of our companies has called a pretexter to give them information. 
This marketing on the outbound, those provisions of the bill, would 
do nothing to address the situation that Mr. Einhorn had. 

Mr. Gonzalez. All right. 

Ms. DeGette. The gentleman’s time has expired. 

Mr. Gonzalez. I think my time is up, and I just thank you, Mr. 
Einhorn, for your participation. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Florida, Mr. Stearns, for 5 minutes. 

Mr. Stearns. I thank my colleague. 

I think we have touched on this issue before, but there is some 
confusion. At least some of the staffs indicate there is confusion, so 
I would like to ask this question. Mr. Navin, you first. And then 
I will ask all of you, if you would, to comment on it. And I guess 
it is dealing with the bill’s affect on the ability to use phone records 
to market other products. In your mind, does this bill prohibit the 
usage of just detailed information or all information from phone 
records? 

Mr. Navin. Yes, I am the one that deferred on the last question 
involving an interpretation of your legislation. 

Mr. Stearns. Right. Yes. 

Mr. Navin. What I can tell you is that the proposed rules that 
the Commission is considering would get at the situation that con- 
cerns disclosure of Mr. Einhorn’s records in two ways. Number 1, 



113 


by virtue of the use of mandatory passwords, the person who set 
up the account would not have been able to do. And No. 2, because 
the proposed rules in front of the Commission provide for notifica- 
tion to the customer any time their information is changed or their 
call detail records are mailed. As it relates to the legislation, I 
would prefer to allow the other panelists to address that issue. 

Mr. Stearns. OK. Mr. Largent, go ahead. 

Mr. Largent. Would you restate your question? 

Mr. Stearns. Yes. In your opinion, does the bill prohibit the use 
of detailed information or other information from phone records 
from the ability to market other products? 

Mr. Largent. I think that is the open question that we are really 
concerned about this legislation, that it could possibly be read that 
way. 

Mr. Stearns. And that is what my staff is trying to understand. 
Do we need to change this bill so that you have this flexibility? And 
it is not clear. I guess, the confusion is whether we can do this, and 
do you feel it is strong enough that, in your mind, there is this con- 
fusion and you can’t market information without breaking the law? 
And so we don’t want to do that. We don’t want to hurt the ability 
to market, so I think that is what we are trying to understand. 

Mr. Largent. I think clarity is the key word that we would like 
to see in this bill. 

Mr. Stearns. And so you would like to see a change? 

Mr. Largent. Yes. 

Mr. Stearns. OK. 

Mr. McCormick? 

Mr. McCormick. Absolutely, Congressman. We see this ambigu- 
ity as creating a situation where we are potentially engaged in an 
illegal activity if we use our knowledge about the fact that an indi- 
vidual is a telephone customer and use that knowledge in order to 
go to that customer and offer them a bundled package of Internet 
access or video or even to add on a wireless service. We don’t think 
that that was the intent of the committee. We understand that the 
intent of the committee was to protect the kind of information that 
was taken from Mr. Einhorn, but we believe that the bill goes 
much farther than that and does prevent these kinds of marketing 
activities. 

Mr. Stearns. Well, and we are in the early stages here, and so 
we are all listening, so this is the time to say, specifically, yes or 
no. Now the two of you are saying that this bill does make it a lit- 
tle bit dubious whether you can continue your marketing practices. 

Anyone else? 

Mr. Rotenberg. Mr. Stearns, if I could speak to that issue. 

Mr. Stearns. Yes. 

Mr. Rotenberg. I think there really are two distinct questions 
here that need to be clarified. The first is whether or not a tele- 
phone company can communicate with their customers about their 
service offerings. There is nothing in this bill that prevents that, 
and every phone company is free to make available information 
about related services. The second question is whether the compa- 
nies can take advantage of the call detail information, who people 
are calling, what they are doing, how they are communicating, and 
use that private information to determine what type of marketing 



114 


to direct to the customer. Now in my view, and I think the view 
of most American consumers, they would have no problem learning 
about new service opportunities from their current provider or from 
a competitor. That is obviously a good thing for the consumer and 
for the marketplace. I think the specific concern here, which the 
bill appropriately addresses, is that the companies take advantage 
of access to this detailed information and use that as part of the 
marketing determination, and that is where I think we need a 
stronger safeguard. 

Mr. Stearns. So would you, in your mind, then, based upon 
what you said, change the bill? 

Mr. Rotenberg. No, I would leave the bill as it is. I would leave 
it with the opt-in requirement, because if there is going to be use 
of CPNI information for that purpose, then I think the customer 
has the right to say, “Well, that is 

Mr. Stearns. So the opt-in requirement would nullify the need 
to change the bill, because the customer is still in control? 

Mr. Rotenberg. Yes, that is correct. 

Mr. Stearns. Now I guess, Mr. Largent and Mr. McCormick, 
what do you say to that? 

Mr. Largent. Well, I just think that it violates the basic market- 
ing principle that exists in our world today. If we have got a com- 
pany that, say, has 60 million customers and we want to target the 
12 million that we think would be most inclined to want Internet 
service or download music or do whatever, and I mean, our compa- 
nies do so many things today from music, video, television, as well 
as your basic phone service, but if we have got a group of 12 mil- 
lion customers out of 60 million that we think are kind of the heart 
of the market for accessing whatever service it might be, why 
would we have to market to 60 million customers when we know 
that 12 million are our real — that is the heart of our marketing 
strategy. Why should we have to market to 60 million when we 
know that these 12 million are the ones that are going to be most 
interested in the service? 

Ms. DeGette. The gentleman’s time has expired. 

Mr. Stearns. Yes, I just ask 30 seconds to let Mr. McCormick 
finish. 

Ms. DeGette. Without objection. 

Mr. McCormick. Yes, thank you very much. 

Congressman, several years ago. Congress provided for a do-not- 
call list. If you do not want to be solicited, it was an opt-out. The 
way we read this legislation is that for our industry alone, it would 
be a do not call unless the customer opts in. And so all we want 
to do is to make sure that our industry is not treated in an entirely 
unique and discriminatory way. 

Mr. Stearns. I thank you and the gentle lady. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Michigan, Mr. Stupak, for 5 minutes. 

Mr. Stupak. Thank you, Madame Chairman. I apologize for not 
being here. I have been on the floor with an amendment and argu- 
ment down there. 

So Mr. McCormick, the FCC rules require telecommunication 
carriers to have an officer of the company certify annually personal 
knowledge that the company has established operating procedures 



115 


that are adequate to ensure compliance with privacy regulations. 
And each of the companies certified that they have had adequate 
procedures, yet this appears to be a pervasive problem. Doesn’t 
that indicate that something is slipping through the cracks of the 
current system? It would seem we cannot rely on either the certifi- 
cation requirement or the current FCC rules to adequately protect 
consumers. 

Do you care to comment on that? 

Mr. McCormick. Yes, Congressman. 

What we have in the pretexting community is that we have very 
sophisticated lawbreakers. Security protocols in the past, many of 
the companies were using Social Security numbers as identifiers. 
Since individuals like Mr. Einhorn had their records taken through 
pretexting, through the use of Social Security numbers, our compa- 
nies have established protocols that no longer use that. In fact, the 
authentication procedures used by our companies are constantly 
being changed and upgraded in ways to protect against the increas- 
ing sophistication of pretexters. So it is a continuing battle. It is 
an ongoing battle, but we believe that it is important to our rela- 
tionship with our customer to be able to protect our customers’ pri- 
vacy, and we take that very seriously. 

Mr. Stupak. But in response to Mr. Stearns, when I came in 
here, you were talking about opting in and opting out. And in our 
proposal, you have to opt in, which gives the consumer greater pro- 
tection — or opt out, whatever it is there. But the consumer is going 
to hold the key here. Wouldn’t that help to defeat this, what you 
call, sophisticated pretexters? 

Mr. McCormick. No, it would have nothing to do with that, be- 
cause pretexting are calls that come in and the opt-in requirement 
today says that we cannot share the information with anybody be- 
yond selling communication services unless the customer opts in. 
This opt-in requirement doesn’t have to do with calls that are com- 
ing in, pretexting calls that are coming in asking us for informa- 
tion. This opt-in requirement has to do with forcing a customer to 
first say to us, “You may contact me about offering new services, 
and if I don’t give you express authorization beforehand, do not 
call. Hands off.” 

Mr. Stupak. That isn’t related to a third party and not to your 
company? The opt in? Isn’t that related to the third party that 
wants to use it? 

Mr. McCormick. The way we read this bill, no, the law already 
requires opt in with regard to sharing information with third par- 
ties. With regard to this bill, the way we read it is that our own 
companies would not be allowed to market services beyond the 
bucket that they have, the telecom service, without opt in. 

Mr. Stupak. In the investigation here, the way I remember, the 
summary of it, if I will, was the record reflected that it was in 
which where administration sloppiness by the carriers. And in our 
investigation, we saw this as sort of like the key part of the pro- 
gram. So I mean, if the carriers are going to be sloppy, no matter 
how sophisticated you are going to be, but if you are going to be 
sloppy in the way you administer it, you are still going to have this 
pretexting problem, correct? 



116 


Mr. McCormick. Again, I think that we are in full agreement 
with the committee with regard to the need for inbound calls re- 
questing customer proprietary network information, particularly 
call data information, be authenticated so that you do not have 
people who should not be getting that information are getting that 
information. What we don’t want to do, though, is to go on the 
other side where we are making calls out to our customer to offer 
them services that may be offering them greater discounts or sav- 
ings, for those to get swept up. There has never been an instance 
where there has been a problem with pretexting or identify theft 
on the part of marketing calls from our companies out. 

Mr. Stupak. Well, having sat through that pretexting investiga- 
tion, I would say you are right. There is none that we know of, be- 
cause we still get back to this administration sloppiness. 

Mr. Navin, if I may, the FCC order, which prohibits the carriers, 
I am sorry, prohibits providers from releasing call detail informa- 
tion. And that order has been circulated to other commissioners, 
when do you anticipate the order being issued, when it will be com- 
pleted, and what is sort of the hold-up here? 

Mr. Navin. I can tell you that, first of all, it is not a complete 
ban on the release of the call details. It just put in place some secu- 
rity measures, like the use of mandatory passwords. 

Mr. Stupak. OK. 

Mr. Navin. I don’t want to totally frustrate consumers in their 
endeavor to get access to the information. The chairman circulated 
the order at the end of last year. I know that he has been working 
actively with his Commissioner colleagues to try to build consensus 
on the item. He tends to take a consensus approach, because he be- 
lieves that these two stronger opinions by the FCC. That said, I am 
sure that there are many at the Commission who are anxious and 
interested in the Commissioners all being 

Mr. Stupak. Can you give me a timeframe or a guess of when 
this order may be — a consensus on it? It has been a while. 

Mr. Navin. I know that one of the tools that the chairman has 
to bring an item to a vote is by an agenda meeting. 

Mr. Stupak. Right. 

Mr. Navin. So I know that is available to the chairman. I don’t 
know if he has made that decision with regard to this item. 

Ms. DeGette. The gentleman’s time is expired. 

Mr. Stupak. Thank you, Madame Chairman. 

Ms. DeGette. The Chair now recognizes the distinguished gen- 
tleman from Pennsylvania, Mr. Pitts, for 5 minutes. 

Mr. Pitts. Thank you, Madame Chairman. 

First, a question for Ms. Parnes. 

Section 202(a)(1)(E) on page 10 of the bill is similar to the legis- 
lation that the gentleman, Mr. Markey, and I introduced last ses- 
sion, the Wireless 411 Privacy Act, which seeks to keep wireless 
services from disclosing wireless numbers without the affirmative 
consent of the consumer. And we have heard of the unintended 
consequences from Mr. Largent and Mr. McCormick that we may 
need to tweak this language to keep it from having these unin- 
tended consequences regarding marketing of services. But phone 
numbers can be used to help prevent fraud and identity theft, be- 
cause they can be cross checked with information on credit and 



117 


loan applications. And we certainly don’t want to make it harder 
to prevent fraud. Your bureau has a mandate to protect consumers, 
so I would appreciate your thoughts on that. 

Ms. Parnes. Thank you. We do have a mandate to protect con- 
sumers from identity theft. And we actually are very focused on 
how consumers can authenticate themselves in ways to prevent the 
misuse of their own personal information. 

But because this is in title II and it is a part of the bill that falls 
outside the scope of the FTC’s jurisdiction, we would have to really 
go back and look at this and consult with our colleagues at the 
FCC to understand how this would operate. And we would be 
happy to get back to you on that. 

Mr. Pitts. All right. 

Steve, it is great to see you. You are a good friend and former 
colleague, and it is always good to work with you. And I under- 
stand that you are willing to work with us on clarification regard- 
ing marketing of services, but the phone number is not CPNI. That 
refers to data about the phone records and the behavior. Phone 
numbers can be cross checked on applications for credit, and other 
critical services. And do you see the unintended consequences re- 
garding that that we need to tweak this language about? 

Mr. Largent. We would be glad to work with you on that. Con- 
gressman. And I would just tell you that on the other issue, on the 
wireless directory assistance, that there is no evidence 

Mr. Pitts. I was just going to ask you, is there still any interest 
in creating a directory? 

Mr. Largent. None that I am aware of. 

Mr. Pitts. Good. I am happy to hear that. And thank you for 
agreeing to work with us and providing language to work out any 
unintended consequences. 

Thank you, Madame Chairman. 

Ms. DeGette. The gentleman yields back. 

The Chair now recognizes the distinguished gentleman from 
Washington State, Mr. Inslee, for 5 minutes. 

Mr. Inslee. Thank you. I would like to ask about this third party 
sharing of information for marketing and other purposes to make 
sure I understand it. 

Just give a hypothetical. XYZ Phone Company wants to enter 
into a joint venture with Acme Travel Company, and they want to 
share databases so that the travel company can focus their market- 
ing efforts to see who is traveling and who is calling Paris, and 
maybe they want to market these people. I want to ask, Mr. Navin, 
Mr. Largent, and Mr. McCormick, under want circumstances 
should the phone company be able to share that information with 
Acme Travel Company? What would happen to happen first or sec- 
ond in that regard? And in particular, Mr. Navin, if you could tell 
me about the relationship between your proposed rule and this leg- 
islation and how they contrast or compare or are similar? If I could 
ask you three gentlemen that question. 

Mr. Navin. Well, currently, as has been discussed, the rule that 
the Commission has as it relates to joint venture partners is an 
opt-out rule. In other words, the carriers do not need the express 
consent by consumers to use this CPNI to market communications- 
related services. So that is the current state of the Commission’s 



118 


law. What the chairman has proposed to do is to change that from 
an opt-out approach to an opt-in approach, in other words, you 
would need express consent from the consumer to use this CPNI 
to market communications-related services. So that is specifically 
what the chairman has proposed in the order in front of us. 

Mr. Inslee. And I am sorry. I would think these would be non- 
communication-related services. 

Mr. Navin. I believe under our existing rules, they would not be 
allowed to market or be allowed to disclose the information to joint 
venture partners for non-communication-related services on an opt- 
out approach. They would not be allowed to do that. 

Mr. Inslee. So what your proposed rule under consideration now 
would be to treat non-communication services and communication 
services the same, which is you would have to opt in before it was 
allowed? Is that the current play? 

Mr. Navin. That is correct. I would like to get back to you on 
whether or not the carriers could actually disclose the information 
to a joint venture partner for non-communications-related services. 

Mr. McCormick. I think I can answer that, Mr. Inslee. Our read- 
ing of the law is that the law would not allow us to share any infor- 
mation with an allied travel without the express consent of the cus- 
tomer, and that, as a matter of practice, none of our companies do 
it anyway. The legislation under consideration would, instead, say 
that with regard to any communications-related services, for exam- 
ple, if a local company, one of our local companies, wanted to offer 
to its customer a bundle package that included local and long dis- 
tance, we would not be able to contact that customer unless the 
customer first opted in and allowed us to use the fact that it was 
a local customer for us to then say, “You are paying $25 for local 
service. We will offer you a bundle package with long distance for 
$35.” Or to add that customer in for DSL service. And if that is 
not the intent of the committee, then what we would hope is that 
the bill would be clarified so that that ambiguity would not be 
there. 

Mr. Largent. Yes, I would just ditto everything Walter said. We 
feel the same way. Our companies are not taking customers’ names 
or numbers and marketing them or selling them to third parties 
that don’t have anything to do with telecommunications. We use 
those to market our services to our own customers only. 

Mr. Inslee. Mr. McCormick, you discussed this, you would be 
discriminated against if this was an opt-in. I am thinking about 
this, so I don’t show you any position that I have right now, but 
I do want to say that, at least I have taken a position that if other 
industries should be an opt-in, for instance, I believe you should 
have to opt in to get my checking account records. I lost that battle 
in the past couple of Congresses. If I come down and it sounds dif- 
ferently, it is not to discriminate against you but to remain consist- 
ent, of course, according to what I think most of my constituents 
want at the moment. 

Mr. McCormick. Well, I understand the desire to opt in in order 
to get checking account records, call detail information. What we 
are really talking about here is kind of like a do-not-call list. And 
as I said before. Congress passed the do-not-call law that was an 
opt-out. If you don’t want to be called, you can opt out. This would 



119 


say, with regard to our industry alone, customers would have to opt 
in before we were allowed to call our own customer. And I don’t 
think that is the committee’s intent, and that is what we would 
like to clarify. 

Mr. Inslee. ok. Is there any middle ground here where you 
would not disclose specific identity of the callers or callee but cer- 
tain general characteristics if you reach some joint venture market- 
ing situation? Is that possible? 

Mr. McCormick. Yes, there is a lot of middle ground here. I 
think that all of the concerns that the committee has about identity 
theft and pretexting and privacy of customer records are concerns 
that we share. And what we want to be able to do is to simply be 
able to work in an effective way to market new services, particu- 
larly bundled services, in a way that competes with all of the other 
businesses out there that are looking for new and innovative ways 
of offering consumers a package that the consumers will find more 
efficient, higher savings, and more convenient. 

Mr. Inslee. Thank you. 

Ms. DeGette. The Chair now recognizes Mr. Burgess, distin- 
guished gentleman from Texas, for 6 minutes. 

Mr. Burgess. Thank you, Madame Chairman. 

Let me just follow-up on Mr. Inslee’s comments. Mr. McCormick, 
why do you need the CPNI information to market to your cus- 
tomers? Can’t you just do this from other data that you would 
have? 

Mr. McCormick. There is a difference between CPNI, customer 
proprietary network information, and call-detail information. Cus- 
tomer proprietary network information is, arguably, everything 
about that customer: his service package, does he take a local serv- 
ice, does he take call answering, does he take call forwarding, does 
he also take Internet access, does he take long distance? That is 
different than the call-detail information. Call-detail information, 
we don’t even keep call-detail information for local calls. On long 
distance calls, call-detail information is kept only for billing pur- 
poses. It is the call-detail information that is sought by pretexters. 
It was sought in the case of Mr. Einhorn. We understand the desire 
of the committee to afford additional safeguards to third parties 
being able to come in and access that call-detail information, people 
who should not have access to it. but for purposes of our being able 
to use joint venture partners to go out and to market for us add- 
on services like Internet access, video, or even new pricing pack- 
ages for long distance, family plans, favorite five plans, that infor- 
mation for hieing able to market outward has never been used for 
pretexting. There is not any case whatsoever where there has ever 
been an inappropriate use of that information that has violated the 
privacy of an individual for outward marketing purposes. 

Mr. Largent. And I would just add to that, not even when third 
parties were located not in the United States. Those third-party 
agreements that they had with the carriers are sacrosanct to those 
third parties, because if they violate them, then they are out the 
door, their business is out the door. 

Mr. Burgess. I guess it was in the O&I Subcommittee, I think 
we had 17 people take the fifth one morning. And I can’t even do 
the math to figure out what number that would be, 17 times 5. But 



120 


I am very glad that you don’t call those individuals and provide 
them information. Mr. Stupak was here that morning. That was an 
unbelievable arrangement of individuals. I still have nightmares 
about Ma Bell from Arizona. 

Well, then, so I understand we are obviously trying to craft a 
piece of legislation that will endure, and your industry moves and 
changes very fast, and our legislation will be there in perpetuity for 
the rest of my natural lifetime, so we want it to be done correctly. 
And I guess I get the impression from the way the questions have 
been going back and forth, that you have some concerns about the 
overly-broad drafting of the language in title II of this bill, is that 
correct? 

And I assume you have made those concerns available to the ap- 
propriate committee staff? 

And Mr. Navin, you are not allowed to help in that or at some 
point will you be able to help us in that? 

Mr. Navin. No, the Commission would be happy to help and 
happy to provide technical assistance on the bill, but I just re- 
viewed the bill for purposes of preparing for this hearing, and I 
don’t want to simply give my impressions. I would rather coordi- 
nate with the folks at the Commission. 

Mr. Burgess. OK. But that information or that technical assist- 
ance is going to be available to the committee staff and committee 
members as we go through the process of marking up and deliver- 
ing this bill? 

Mr. Navin. Absolutely. 

Mr. Burgess. OK. Mr. Einhorn, you have been so kind to sit 
with us all morning, and I appreciate your involvement in this. It 
won’t do any good for me to apologize to you, but I will do it any- 
way, that you suffered the problems that you did. 

Now just so that I understand clearly when Mr. Markey was ask- 
ing you the question, and he is gone, but I will try to paraphrase 
it, and I hope I am accurate, where he said shouldn’t the company 
have notified you immediately about a breach of security or the 
pretexting that occurred. How did they know that the pretexting 
had occurred? When these guys have sat in front of us and gave 
us examples of pretexting, they were so cleaver about how they did 
stuff, how did they know that your information had been delivered 
to the wrong hands? 

Mr. Einhorn. Well, I am glad you came back to that, because I 
wanted to elaborate on the question that was asked before. I am 
actually a victim of pretexting in two separate circumstances. The 
first relates to my home telephone records where the company did 
not, in any way, notify us that we were pretexted. What actually 
happens is 

Mr. Burgess. Well, let me just interrupt you there. How did they 
know? 

Mr. Einhorn. Who is “they”? 

Mr. Burgess. The company, AT&T, I guess. 

Mr. Einhorn. AT&T did not notify us or even necessarily know 
that we had been pretexted. 

What happened was we tried to sign up for an online account to 
pay our bills, and they said, “You can’t do that, because the account 
has actually already been opened.” And then you say, “Well, who 



121 


opened the account?” And then AT&T was able to tell us the de- 
tails of how the account was opened. 

Mr. Burgess. So they did not verify that with mailing that infor- 
mation back to you after the new account was opened? 

Mr. Einhorn. That is correct. I was not contacted. 

And then second, our business records were involved with 
pretexting. And in that particular case, we only learned about that 
when Allied Capital put out a press release saying they had things 
that were purported to be our business records in response to an 
investigation they were conducting in response to a grand jury sub- 
poena. So if they hadn’t been asked that by the Justice Department 
or by the grand jury to find out whether or not they had actually 
taken our records, we never would have known until this day that 
these records were taken. 

Mr. Burgess. And the same situation, that company that was 
pretexted did not call back for verification after? Did they open a 
new account as well? 

Mr. Einhorn. Well, even now we don’t know how they did it. We 
don’t know whether they did this somehow online. We don’t know 
if they bribed an official at the phone company. We have no idea 
what records they have or how they obtained those records or for 
what use they made. And that is still true to this moment, because 
we have gotten no explanation from Allied Capital as to what they 
have done. 

Mr. Burgess. So if Allied Capital hadn’t issued a press release, 
you wouldn’t even, in fact, know about it until this day? 

Mr. Einhorn. Relating to the business records, that is correct. 

Ms. DeGette. The gentleman’s time is expired. 

Mr. Burgess. Thank you, Madame Chairman. 

Ms. DeGette. Yes. The Chair would inquire of the Federal Trade 
Commission. Are you investigating these business practices by Al- 
lied Capital? 

Ms. Parnes. Madame Chairman, the Commission investigations 
are non-public, so we would be happy to talk to you in a non-public 
briefing. 

Ms. DeGette. Thank you. The Chair wants to thank all of the 
witnesses today. And following up on some questioning by Mr. Bur- 
gess, I would say, we are not in the initial stages of developing this 
legislation. We are in the final throws, and so if witnesses today 
or other members of the audience wish to give specific suggestions 
on development of this legislation, the committee would much ap- 
preciate those efforts. 

And again, I want to thank everybody for coming, and the hear- 
ing is adjourned. 

[Whereupon, at 1:30 p.m., the committee was adjourned.] 


o 



